This would be quite required for webOS platform as well, so I proposed https://github.com/WICG/isolated-web-apps/pull/6. I'm wondering if there is any major consideration or difficulty to be discussed with other stakeholders in this subject.
On Tuesday, April 26, 2022 at 1:13:35 AM UTC+9 [email protected] wrote: > This is incredibly exciting. Congrats on getting this design to a place > where it can be implemented. > > > > On Monday, April 18, 2022 at 2:48:28 PM UTC-7 Reilly Grant wrote: > >> Contact emails >> >> [email protected], [email protected] >> >> Explainer >> >> https://github.com/reillyeon/isolated-web-apps/blob/main/README.md >> >> Specification >> >> Still at the explainer stage. >> >> Summary >> >> Isolated Web Apps extend Progressive Web App >> <https://web.dev/progressive-web-apps/> installation and Web Packaging >> to provide stronger protection against server compromise and other >> tampering. A small set of security-sensitive applications require this to >> migrate from Chrome Apps, Electron, or other web-adjacent solutions. >> >> Rather than being hosted on live web servers and fetched over HTTPS, >> these applications are packaged into Web Bundles, signed by their >> developer, and distributed to end-users through one or more of the >> potential methods described in the explainer. >> >> Blink component >> >> UI>Browser>WebAppInstalls>Isolated (component request filed >> <https://bugs.chromium.org/p/chromium/issues/detail?id=1316838>) >> >> Motivation >> >> Content Security Policy (CSP) provides strong protection against >> cross-site scripting (XSS) vulnerabilities. Transport Layer Security (TLS) >> and Subresource Integrity (SRI) provide protection against resources being >> tampered with in transit or when hosted on third-party servers. However, >> the threat model for some particularly security sensitive applications >> includes the main application server itself being compromised and serving >> malicious content. This goes beyond the protections that current policies >> can provide and requires exploring alternative ways that these applications >> could be distributed and validated. >> >> TAG review >> >> Not yet filed. >> >> Risks >> Interoperability and Compatibility >> >> Gecko: No signal >> >> WebKit: No signal >> >> Web developers: No signals on this proposal but we’ve seen concerned >> developers looking for solutions in this space. See the explainer for >> details. >> >> Other signals: >> >> WebView application risks >> >> Does this intent deprecate or change behavior of existing APIs, such that >> it has potentially high risk for Android WebView-based applications? >> >> As this concept only applies to installed web applications it won’t be >> available in WebViews. >> >> >> Debuggability >> >> For the most part all the existing features to support debugability of >> PWAs and Web Bundles will apply. However, we are considering adding >> additional diagnostic messages to help developers understand when their >> application is misbehaving due to the stricter policies. >> >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> >> ? >> >> No, web application installation is a //chrome concept which can’t be >> exercised by web-platform-tests. Browser test infrastructure is in >> isolated_app_test_utils.h >> <https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/ui/web_applications/test/isolated_app_test_utils.h> >> . >> >> Flag name >> >> Developers can add an origin to --isolated-app-origins to enable >> isolation when installing a web app. Eventually this will support a real >> “developer mode” more similar to how Extensions development works. >> >> Requires code in //chrome? >> >> Yes, while much of the implementation will live in Blink and //content >> the web app installation infrastructure is implemented in //chrome. >> >> Estimated milestones >> >> No milestones specified >> >> Link to entry on the Chrome Platform Status >> >> https://chromestatus.com/feature/5146307550248960 >> >> This intent message was generated by Chrome Platform Status >> <https://chromestatus.com/>. >> Reilly Grant | Software Engineer | [email protected] | Google Chrome >> <https://www.google.com/chrome> >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e2b03073-fb6d-4252-91d3-299c3933919cn%40chromium.org.
