[WebInstall] shared web contents does credentialed navigations

34 views

Skip to first unread message

Lia Hiscock

unread,

Feb 26, 2026, 7:41:17 PMFeb 26

to Dan Murphy, pwa-dev

Hi Dan! Sorry to hear you’re not feeling well. Whenever you’re back and ready, hoping to get your thoughts here –

Our privacy reviewer @npm, along with @engedy, raised concerns about the shared_web_contents navigation path used during install:

Chromestatus discussion with npm – mentions risks of cross site tracking and inflation of analytics through “ghost traffic”.
Today, WebAppCommandManager creates the shared_web_contents with the user’s profile, and WebAppUrlLoader calls LoadUrl with generic LoadURLParams.

IIUC this results in a standard, full-page navigation through the normal nav stack.

This applies to both <install> and navigator.install (and is likely another point in favor of installing via manifest URL).

We’re mainly trying to understand how real this issue is in practice, and whether this behavior is working as intended, since WAUrlLoader is used by most web app commands (although web install is likely the only one doing cross origin navigations).

Thanks!

Lia

Lia Hiscock

unread,

Mar 3, 2026, 1:50:37 PMMar 3

to pwa-dev, Lia Hiscock, pwa-dev, Dan Murphy, arthurs...@google.com, mk...@google.com, n...@google.com

Adding security/privacy folks for a proper group discussion :) (Sorry for the noise Dan). Outstanding concerns/thoughts from some individual threads --

> Scared that this previous implementation spawns a hidden web content that navigates to the install_url to fetch metadata from the HTML document. This has many side effects that are difficult to fully understand. It would have been simpler to allow fetching only the manifest's JSON file without credentials

> I wonder about things like third-party and/or `SameSite` cookies, Fetch Metadata representations, etc. It would be ideal to verify that we're not creating ways of bypassing either user or developer expectations about requests' context. From the comment thread it sounds like our current behavior for both the element and API could be improved.

Quick links for reference -

ChromeStatus - Web app HTML install element - Chrome Platform Status

Explainer - WICG/install-element: An `<install>` element might be nice.

Crbug - [<install> Element] Enable Declarative installation of Web Apps from Web Content [454827186] - Chromium