Web App Separate Isolated Session

%3CLINGO-SUB%20id%3D%22lingo-sub-1283989%22%20slang%3D%22en-US%22%3EWeb%20App%20Separate%20Isolated%20Session%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1283989%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20ability%20to%20simply%20convert%20a%20website%20to%20an%20app%20(whatsapp%2C%20music%20players%2C%20etc.)%20is%20next%20to%20essential%20for%20me%2C%20and%20how%20simple%20it%20is%20in%20Edge%20is%20amazing.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEdge%20Dev%20however%20seems%20to%20treat%20this%20as%20simply%20a%20new%20borderless%20window%20and%20share%20the%20current%20session%20data%20(mostly%2C%20what%20accounts%20are%20logged%20in)%2C%20however%20it%20would%20be%20a%26nbsp%3B%3CSTRONG%3Elot%26nbsp%3B%3C%2FSTRONG%3Emore%20useful%20if%20it%20was%20a%20completely%20isolated%20session%20(cookies%2C%20cache%2C%20etc.).%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EExample%20of%20why%20this%20is%20critical%20is%20I%20have%20multiple%20Microsoft%20accounts%2C%20work%20O365%2C%20contract%20with%20a%20separate%20%22guest%20teams%22%20account%2C%20and%20my%20personal%20MS%20account.%20Currently%20these%20get%20cross-contaminated%20in%20terms%20of%20what%20which%20one%20is%20signed%20in%20to%20my%20%22Teams%20Web%20App%22%20and%20it%20is%20beyond%20frustrating%3B%20once%20I%20was%20careless%20and%20posted%20a%20file%20to%20the%20wrong%20person%20-%20thankfully%20harmless.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECurrently%20on%20Dev.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1284009%22%20slang%3D%22en-US%22%3ERe%3A%20Web%20App%20Separate%20Isolated%20Session%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1284009%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Andrew%2C%20this%20is%20such%20a%20great%20idea!%20%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fsmile_40x40.gif%22%20alt%3D%22%3Asmile%3A%22%20title%3D%22%3Asmile%3A%22%20%2F%3E%3C%2FP%3E%3CP%3EIt'd%20help%20me%20too%2C%20prevent%20other%20websites%20from%20snooping%20in%20my%20social%20media%20stuff%20because%20I%20have%20Facebook%2C%20Twitter%20and%20Instagram%20installed%20as%20PWA%20but%20the%20fact%20that%20they%20are%20currently%20not%20isolated%20makes%20them%20less%20secure%2C%20privacy-wise.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1284343%22%20slang%3D%22en-US%22%3ERe%3A%20Web%20App%20Separate%20Isolated%20Session%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1284343%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F567628%22%20target%3D%22_blank%22%3E%40andrewvinci%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F567628%22%20target%3D%22_blank%22%3E%40andrewvinci%3C%2FA%3E%26nbsp%3Bwrote%3A%3CBR%20%2F%3E%3CP%3EI%20have%20multiple%20Microsoft%20accounts%2C%20work%20O365%2C%20contract%20with%20a%20separate%20%22guest%20teams%22%20account%2C%20and%20my%20personal%20MS%20account.%20Currently%20these%20get%20cross-contaminated%20in%20terms%20of%20what%20which%20one%20is%20signed%20in%20...%3C%2FP%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CP%3EDoes%20this%20cross-contamination%20also%20happen%20if%20each%20account%20(Microsoft%20Account%2C%20work%20or%20school%20account)%20has%20its%20own%20browser%20profile%3F%20As%20far%20as%20I%20can%20tell%2C%20browser%20data%20stay%20within%20the%20profile%20in%20use%20at%20the%20time%2C%20as%20do%20installed%20apps.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1284424%22%20slang%3D%22en-US%22%3ERe%3A%20Web%20App%20Separate%20Isolated%20Session%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1284424%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F9548%22%20target%3D%22_blank%22%3E%40Noel%20Burgess%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20haven't%20tested%20I%20must%20admit%2C%20however%20I%20would%26nbsp%3B%3CSTRONG%3Ehope%20not%3C%2FSTRONG%3E%20otherwise%20it%20would%20be%20a%20more%20substantial%20issue!%26nbsp%3BI%20keep%20all%20of%20my%20various%20login%20sessions%20under%20my%20personal%20MS%20account.%20One%20big%20reason%20is%20my%20O365%20work%20account%20doesn't%20support%20data%20sync%20(we%20aren't%20paying%20for%20the%20higher%20tier%20AAD).%20Even%20so%2C%20I%20am%20not%20sure%20how%20to%20determine%20which%20profile%20the%20Web%20App%20is%20running%20under.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1285020%22%20slang%3D%22en-US%22%3ERe%3A%20Web%20App%20Separate%20Isolated%20Session%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1285020%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F567628%22%20target%3D%22_blank%22%3E%40andrewvinci%3C%2FA%3E%26nbsp%3Bthanks%20for%20bringing%20this%20up.%20We%20are%20discussing%20this%20and%20running%20some%20experiments.%20Currently%2C%20PWAs%20are%20installed%20per%20profile%2C%20so%20if%20you%20have%20two%20profiles%20in%20Edge%2C%20you%20can%20have%20two%20PWAs%20installed%20(one%20for%20each%20profile)%20-%20those%20are%20completely%20separate.%20You%20are%20correct%20about%20the%20current%20design%20with%20one%20profile%2C%20though.%20PWAs%20behave%20the%20same%20with%20regard%20to%20cookies%20(etc)%20as%20if%20you%20were%20just%20on%20the%20website%20in%20the%20browser.%20You%20can%20imagine%20how%20much%20of%20a%20benefit%20this%20is%20for%20web%20developers%20who%20can%20trust%20that%20when%20you%20create%20a%20PWA%20from%20their%20site%2C%20you%20remain%20logged%20in.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBut%20as%20I%20say%2C%20we%20think%20this%20is%20probably%20something%20that%20some%20end%20users%20want%2C%20and%20some%20web%20devs%20want.%20So%20we%20are%20planning%20on%20being%20very%20data%20driven.%20We%20may%20run%20A%2FB%20experiments%2C%20but%20first%20we%20will%20want%20to%20get%20developer%20reaction%20and%20try%20to%20figure%20out%20a%20good%20design%20that%20will%20make%20the%20majority%20of%20people%20happy.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E-John%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1285040%22%20slang%3D%22en-US%22%3ERe%3A%20Web%20App%20Separate%20Isolated%20Session%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1285040%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F310193%22%20target%3D%22_blank%22%3E%40HotCakeX%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAmazing%20how%20we%20just%20keep%20dancing%20around%20the%20issue%20of%20Edge%20not%20having%20%22Containers%22%20isn't%20it%3F%20Still%20the%20one%20and%20only%20reason%20that%20I%20don't%20delete%20Firefox.%20If%20the%20Web%20Apps%20were%20each%20established%20as%20a%20stand-along%20sandbox%2C%20that%20would%20be%20a%20decent%20compromise%20on%20the%20idea.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1288295%22%20slang%3D%22en-US%22%3ERe%3A%20Web%20App%20Separate%20Isolated%20Session%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1288295%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318459%22%20target%3D%22_blank%22%3E%40johnjansen%3C%2FA%3E%26nbsp%3BThanks%20John%2C%20fully%20aware%20of%20the%20advantage%20of%20that.%20I%20tried%20to%20keep%20my%20initial%20post%20fairly%20concise.%20I'll%20stick%20to%20%22web%20app%22%20here%20as%20this%20is%20mostly%20about%20apps%20that%20people%20install%20from%20a%20website.%20e.g.%20they%20go%20to%20%3CA%20href%3D%22http%3A%2F%2Fwww.contoso.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ewww.contoso.com%3C%2FA%3E%2C%20and%20then%20hit%20the%20'...'%20and%20'Apps'%20-%26gt%3B%20%22Install%22%2C%20regardless%20if%20the%20site%20is%20a%20standard%20webpage%2C%20or%20a%20proper%20PWA%20(with%20manifest%2C%20etc.).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20the%20case%20where%20an%20app%20is%20installed%20from%20having%20already%20visited%20the%20website%2C%20I%20could%20foresee%20keeping%20'signed-in%20ness'%20and%20a%20consistent%20experience%20for%20devs%2C%20that%20same-site%20cookies%20could%20be%20kept%2C%20and%20all%20others%20discarded%20(this%20may%20still%20break%20SSO)%3B%20with%20an%20option%20to%20start%20a%20fresh%20session%20for%20privacy%20focused%20users.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPersonally%2C%20even%20if%20the%20user%20is%20required%20to%20sign-in%20again%2C%20I%20wouldn't%20expect%20that%20it%20would%20cause%20excessive%20friction%2Fbounce%20rate.%20Even%20a%20notification%20%22For%20your%20privacy%2C%20we%20keep%20this%20new%20App%20separate%20to%20your%20other%20browsing%20-%20so%20you'll%20have%20to%20sign%20in%20again%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20you%20indicated%2C%20A%2FB%20is%20the%20way%20to%20go.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1288987%22%20slang%3D%22en-US%22%3ERe%3A%20Web%20App%20Separate%20Isolated%20Session%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1288987%22%20slang%3D%22en-US%22%3EThey%20can't%20limit%20it%20only%20to%20that.%20Edge%20gives%20us%20freedom%20to%20install%20ANY%20website%20as%20an%20app%2C%20not%20only%20websites%20that%20are%20kinda%20a%20web%20app%2C%20such%20as%20Whatsapp%20web%2C%20Spotify%20web%20player%2C%20Google%20photos%2C%20Outlook%20etc.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

The ability to simply convert a website to an app (whatsapp, music players, etc.) is next to essential for me, and how simple it is in Edge is amazing.

 

Edge Dev however seems to treat this as simply a new borderless window and share the current session data (mostly, what accounts are logged in), however it would be a lot more useful if it was a completely isolated session (cookies, cache, etc.). 

 

Example of why this is critical is I have multiple Microsoft accounts, work O365, contract with a separate "guest teams" account, and my personal MS account. Currently these get cross-contaminated in terms of what which one is signed in to my "Teams Web App" and it is beyond frustrating; once I was careless and posted a file to the wrong person - thankfully harmless.

 

Currently on Dev.

7 Replies
Highlighted

Hello Andrew, this is such a great idea! :smile:

It'd help me too, prevent other websites from snooping in my social media stuff because I have Facebook, Twitter and Instagram installed as PWA but the fact that they are currently not isolated makes them less secure, privacy-wise.

Highlighted

@andrewvinci 


@andrewvinci wrote:

I have multiple Microsoft accounts, work O365, contract with a separate "guest teams" account, and my personal MS account. Currently these get cross-contaminated in terms of what which one is signed in ...


Does this cross-contamination also happen if each account (Microsoft Account, work or school account) has its own browser profile? As far as I can tell, browser data stay within the profile in use at the time, as do installed apps.

Highlighted

@Noel Burgess 

 

I haven't tested I must admit, however I would hope not otherwise it would be a more substantial issue! I keep all of my various login sessions under my personal MS account. One big reason is my O365 work account doesn't support data sync (we aren't paying for the higher tier AAD). Even so, I am not sure how to determine which profile the Web App is running under.

Highlighted

@andrewvinci thanks for bringing this up. We are discussing this and running some experiments. Currently, PWAs are installed per profile, so if you have two profiles in Edge, you can have two PWAs installed (one for each profile) - those are completely separate. You are correct about the current design with one profile, though. PWAs behave the same with regard to cookies (etc) as if you were just on the website in the browser. You can imagine how much of a benefit this is for web developers who can trust that when you create a PWA from their site, you remain logged in. 

But as I say, we think this is probably something that some end users want, and some web devs want. So we are planning on being very data driven. We may run A/B experiments, but first we will want to get developer reaction and try to figure out a good design that will make the majority of people happy.

 

-John

Highlighted

@HotCakeX 

Amazing how we just keep dancing around the issue of Edge not having "Containers" isn't it? Still the one and only reason that I don't delete Firefox. If the Web Apps were each established as a stand-along sandbox, that would be a decent compromise on the idea.

Highlighted

@johnjansen Thanks John, fully aware of the advantage of that. I tried to keep my initial post fairly concise. I'll stick to "web app" here as this is mostly about apps that people install from a website. e.g. they go to www.contoso.com, and then hit the '...' and 'Apps' -> "Install", regardless if the site is a standard webpage, or a proper PWA (with manifest, etc.).

 

In the case where an app is installed from having already visited the website, I could foresee keeping 'signed-in ness' and a consistent experience for devs, that same-site cookies could be kept, and all others discarded (this may still break SSO); with an option to start a fresh session for privacy focused users.

 

Personally, even if the user is required to sign-in again, I wouldn't expect that it would cause excessive friction/bounce rate. Even a notification "For your privacy, we keep this new App separate to your other browsing - so you'll have to sign in again".

 

As you indicated, A/B is the way to go. 

Highlighted
They can't limit it only to that. Edge gives us freedom to install ANY website as an app, not only websites that are kinda a web app, such as Whatsapp web, Spotify web player, Google photos, Outlook etc.