Enable Only for PWA ?

[kuashe]

Reading the current security model I had the same concerns as pointed here Potentially Unwanted Programs Scan

I was wondering if this feature should only be enabled when apps are running in PWA mode ?

My fear is that most users could be tempted to click "Yes" on some websites when the browser prompt to access FileSystem because they aren't exactly aware of what consequences it will have on their system.

Instead , having an app that prompt to be installed first and then prompt for permission to access file system would really raise the user attention and the risk involved with it.

Requiring apps to installed seems coherent in my opinion as most apps that would truly benefits from this feature are productivity based apps , typically the ones showcased on Electron Website.

Those apps generally have been designed with "Desktop" in mind, so forcing PWA would just align with how those applications have been designed while increasing security.

[mkruisselbrink]

For a variety of reasons we generally don't want to gate entire features behind being an installed PWA. Just having an extra prompt (to install the app) doesn't seem like it would be much of a barrier if most users would click "Yes" anyway (and for filesystem access just clicking "Yes" won't necessarily be enough anyway. Getting access generally involves a file or directory picker where the user has to explicitly pick entries).

@dominickng might be able to explain better why guarding entire features behind being an installed PWA doesn't seem like a good idea.

[dominickng]

Gating APIs only to running in PWA mode is undesirable for a number of reasons:

• It fragments the web platform into installed and not installed, with different APIs available depending on installed state. We generally don't want sites to care (functionality-wise) if they're running in standalone or in a tab - the web should work in both.
• in a way, Chrome Apps are an illustration of this fragmentation.
• More importantly, such a split disempowers the drive-by web, and undermines the “try-before-you-buy” ability that the web affords today. We'd be forcing users to install a site to use it, even if they don’t want to install. Plus, users may also not be willing to install a site from which they cannot ascertain any benefit
• It's unclear whether installation actually generates any meaningful friction for guarding access to APIs over the drive-by web. We should just make APIs safe to access on the drive-by web overall so that we don't force installation to be a meaningful security boundary in the future
• Gating APIs behind installing increases the incentive for sites to trick users into installing

As @mkruisselbrink said, we shouldn't just have a straight prompt to blindly allow filesystem access - the user should have to explicitly choose a directory/file from a picker to grant access to.

[kuashe]

Web Fragmentation is indeed not a desirable thing.
Web Apps should work the same regardless of whether or not they are installed.

Closing as the arguments raised by @dominickng are accurate.