Now, don't get me wrong, I love the idea of progressive web apps, but the web is also easily the very least secure thing I do with my computer on a regular basis. The last thing I want is yet another way for a web page to pretend to look like a native app. Even with my decades of experience, I am liable to be fooled in a hasty, tired moment, and I suspect I'm not alone.
In other ways, web environment is the most secure part of your OS. Download and install an .exe and it's essentially completely unsandboxed and has free reign over your computer. These 'PWAs' are much more limited and scoped.
That's the first article that came to mind when I read the article: this is going to be a godsend to phishers. Granting random sites the ability to render a counterfeit toolbar, including an address-bar with the green padlock that reads "https://bank.com" or "https://sso.internal.corp.com" will be a security nightmare
Worth noting that this feature is limited to installed PWAs, so you'd either have to convince the user to install a PWA via the URL bar affordance (which already requires real HTTPS and respects the LOD), or to manually install a site-as-app through the browser's (relatively buried) UI, at which point you get the same site you're already on, but with a new titlebar. That seems like a pretty unrealistic vector and is much less complex then just getting users to install an .exe.
That said, even with the Window Controls Overlay, the minimal browser controls (close/restore/minimize) are mandatory, as is the browser-owned "..." menu which includes basic trust information for the site as well as app controls (uninstall, permissions, etc.).
> so you'd either have to convince the user to install a PWA via the URL bar affordance (which already requires real HTTPS and respects the LOD),
Getting a valid SSL certificate for getFakeSaas.com is free, and respecting LoD has no effect at this time. Once the PWA is installed, there is no LOD, amd my PWA can phish any domain I desire with faked affordances.
https://textslashplain.com/2017/01/14/the-line-of-death/
Now, don't get me wrong, I love the idea of progressive web apps, but the web is also easily the very least secure thing I do with my computer on a regular basis. The last thing I want is yet another way for a web page to pretend to look like a native app. Even with my decades of experience, I am liable to be fooled in a hasty, tired moment, and I suspect I'm not alone.