That's indeed a tricky one. Even tho I work with PWAs I could see myself being misled by this with a github credential. Good remind to only connect third party services with access tokens.
Surely you could pull this trick just by using full screen mode couldn't you? And all that requires is any user interaction.
Does this fool tools like 1Password?
I don’t things is much worse than OAuth itself. You just have to make a login with Google/Facebook/X button.
Also the thing about the URL won’t have much practical difference for the user. The reason is that a lot of the flows can redirect through different domains. For example, when I sign in with Google into a third party site, I often see a redirect through the YouTube domain.
So users are not expecting full fidelity to the domain.
Yes, but I found it a little earlier. ( 4 years ago) https://github.com/0x1235/PWA_Spoofing_PoC
What makes this PWA specific rather than just “installable software”?
I think you could do the same in native apps? So yeah, not much you can do about uncareful users. I suppose you could use something like an App store to provide some checks and a little more security. But then you're likely to run into monopolies again..
This reminds me OAuth screens where you are not sure why your password manager doesn’t work…
What's the difference between this and just having a button on your website that redirects to a spoof microsoft login page?