Christian: the proposal may be out of date. they may want to do cross-origin handshakes.

Lola: We need an updated explainer, if so.

I'll comment and ask.

Yves: My concerns were mitigated by the fact that it was same-sites only. they were making an assertion on behalf of other resources. So if they've changed, i'm concerned. It's better to clarify if it has changed.

Hadley: I agree.

Yves: bump to next week.

Hadley: They updated the explainer 4 days ago, so we're not far behind.

Yves: Started to take a look at it, but I’m not done yet. Find it strange that you have to be at the new location, and go back to the previous one. Redirect would also seem feasible. Need to figure out the choreography first. Think it’s dangerous if this is cross-origin.

Hadley: I’m very concerned about going cross-origin.

Christian: It’s related to my work. Didn’t have a look yet, but I’m happy to do so.

Jeffrey: This supports going from maps.google.com to google.com/maps, that’s why the two-way handshake is needed.

Hadley: There was a pattern we had in the past where there was an imbalance of power, think large ad networks, where one party says "do this [like post this dodgy javascript in order to get paid". And the site will do it. Two-way handshake doesn’t mitigate that.

Jeffrey: We might want to say, you can do this to become more fine-grained, but not the other way.

Yves: We could avoid transferring permissions.

Jeffrey: This doesn’t happen.

Yves: Same-site seems ok, but I think information in a redirect would be better.

Lola: Why do this instead of some kind of user-facing notification provided by the app? "Please download the new app."

Jeffrey: It would make sense to ask them that, but I think the answer is that high percentage of users don’t transfer.

Have an answer for Yves regarding the redirect. If you redirect from one origin to another, then a UA doesn’t understand the transfer is going to give you a bad UI in the app. Looks like you’ve navigated to an external page on an installed app. So, they have to try to detect the install status before being able to redirect.

Christian: This is an issue, becasue if you install an app it's pinned to the origin you installed it from. So a redirect would give you the address bar, which is what you try to avoid when creating an app. So I think the proposal is valid, but I need to take a closer look.

Yves: It's weird. it would be better to say, "It's an installed app, and I know it's ???. I know that this app has been upgraded and I should go to this other place." It seems a better option than trying to trick what's installed.

Christian: Need to think about this, let's keep talking offline.

Yves: That’s why I meant knowing the cheorography would help to determine if this is a good approach or not.

Matthew: I have a concern from a user’s perspective, when someone buys an app, there should be some form of opt-out rather than it’s just happening.

Hadley: Tend do agree, but if they got control of the backend, don’t they have the data anyway?

Matthew: Think there’s also a geographical vector, some jurisdictions require notification in that case anyway, don't they.

Yves: In the case of an acquisition, it will likely not be same-site anymore.

Lola: Let's keep working on this one async then.