To clarify for non-tech folk: TL;DR, there's a silent browser war afoot -- a tug-of-war between apps and real browsers. Some apps use technology designed to show in-app content to render (unsafe) out-of-app content. This endangers privacy, but also hurts the web.https://twitter.com/tomayac/status/1105053795917225985 …
-
Show this thread
-
I say "silent" because the UI presented by real browsers via Chrome Custom Tabs (CCT) and legacy "in-app browsers" based on WebView is often hard to spot: https://developer.chrome.com/multidevice/android/customtabs …
1 reply 2 retweets 5 likesShow this thread -
To see which approach an app is taking, click on a link that doesn't take you "all the way out" to a browser and look for the 3-dot menu (or equivalent). If it has a "Powered by <Browser>" item at the bottom of the menu, it's CCT: https://developer.chrome.com/multidevice/images/customtab/twitter_menu.png …
1 reply 4 retweets 8 likesShow this thread -
If you *don't* see that, you're dealing with a WebView -- which is the app doing a *very bad thing*. What's the difference? Buckle up, this gets slightly technical. WebView is a system component of Android. These days, it auto-updates, but didn't always do so.
1 reply 4 retweets 10 likesShow this thread -
WebViews were designed for loading content *from the app* into the app. That is, stuff it trusts. The threat model both from security and privacy is pretty straightforward. Things get funky when you load stuff from other parties.
2 replies 2 retweets 8 likesShow this thread -
Browsers, on the other hand, are designed to update outside the OS update cycle and fundamentally mistrust content -- they're the *user's* agent, rather than an app component.
1 reply 1 retweet 9 likesShow this thread -
This difference runs deep, but the most important thing to understand is that users choose browsers. That's an intentional preference that should mean something.
1 reply 1 retweet 10 likesShow this thread -
When apps use CCT to load third-party content, they are _respecting user choice_. But they're also practicing security hygiene and acting as good web citizens. Why? First, WebView puts the problem of loading content onto the app. This means that apps *incidentally* see plaintext
1 reply 1 retweet 5 likesShow this thread -
CCT invocation, on the other hand, delegates this problem to the user's default browser. And browsers spend a _lot_ of time and effort getting transport security and UI indicators about safety right. Now, OS vendors realized that this was happening and have responded (a bit).
2 replies 1 retweet 9 likesShow this thread -
Replying to @slightlylate
Did we mis-brand this when calling it "Chrome" Custom Tabs? Since it's actually the user's default browser?
2 replies 0 retweets 1 like
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
& Web Standards TL; Blink API OWNER
Named PWAs w/
DMs open. Tweets my own; press@google.com for official comms.
: the issue is the `shouldInterceptRequest` method (