PWA permission bypass

Brave Version: version 1.58.135 and later
URLs (if applicable) : https://order.chatfood.io
Other browsers tested:
Safari: No issues
Firefox: Same issues
Chrome: Same issues
Edge: Same issues

What steps will reproduce the problem?
(1) Open Brave on an Android device.
(2) Visit the PWA website order.chatfood.io, which hosts multiple Progressive Web Applications (PWAs) within the same domain.
(3) Download and install multiple PWAs from the website, each associated with different restaurant owners. For example, you can download PWA1: https://order.chatfood.io/burger-king/menu, PWA2:https://order.chatfood.io/texas-chicken/menu
(4) Click the PWA1 and order delivery food, allow geolocation permission when it prompts
(5) Click on PWA2 on your mobile device to order pickup food. Note that PWA2 does not explicitly request geolocation permission, but it can access geolocation data since it belongs to a different restaurant owner. This allows them to track your geolocation without your explicit consent.

What is the expected result?
Different PWAs with distinct Compute App IDs should isolate their permissions.

What happens instead?
The PWAs do not isolate their permissions, leading to the issue where one PWA can access permissions granted to another PWA within the same domain.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.