This seems like a clear cut case of a missing permission: for an app to be allowed to access your interactions with a domain, it should need to either prove it owns the domain, or receive user permission to access the domain. This safely covers the legitimate use cases of punting out some UI to your website and of just providing a way to view websites in-app, while for iffier use cases permitting both informed consent and fallback to displaying the page without handing out access to it.
Alex Russell wrote a more in-depth article about the issue back in 2021[0]. I don't think the landscape on this end has significantly changed much, since what's said in the article is still mostly relevant these days.
That said, do keep in mind he's not unbiased; he's a PM at Microsoft for Edge and used to work on Chrome. Nowadays he's also one of the Blink API Owners (he approves new Blink Web API features). Most of his writing on the state of the browser market is solid, just know that he's obviously got an angle and arguably is also responsible for the modern Blink monoculture.
I would love if this were implemented. For one thing it would prevent insane App Store rejections like [this](https://mastodon.social/@vandal/112167322002780991) which actively requires using an in-app browser. I wish there were a setting to never use an in app web browser on iOS.
> I wish there were a setting to never use an in app web browser on iOS.
I get that, but by the same token, a thoughtful app maker can provide that option to you today (I have apps on my device that expicitly have that option).
Honestly, if this rule were in place, that App Store rejection would make even /more/ sense — it’s even /more/ cumbersome to stitch together a login flow by redirecting to another entirely separate app (the default browser).
These days I feel like spider man swinging from in app browser to safari to another in app browser to open in app. Sometimes switching 3-4 browsers before getting to my destination. Absolutely ridiculous, and should certainly be eliminated.
I doubt most users care enough (even if this is a real issue). So it seems like the only way this practice could be mitigated is if it somehow is unaligned with OS vendors' (apple, android) interests.
Like, maybe it harms Apple's reputation as privacy champions, or creates security vulnerabilities or something
> Apple must update SFSafariViewController (Apple’s system provided in-app browser for iOS) to respect the user's choice of default browser.
I don’t understand this ask. If the idea is that in-app browsers are inherently compromised either through security or user preference, then at that point it makes no sense for an in-browser component to exist in the first place; all it’s going to do is invisibly bounce the request from the app to the default browser, at which point the app might as well just invoke the default browser directly and not bother using the in-app version.
