LGTM1 On Thursday, October 2, 2025 at 12:57:05 PM UTC-7 Reilly Grant wrote:
> LGTM as an IWA OWNER (3x LGTM from Blink API OWNERS are still required > according to the IWA-specific API launch process > <https://www.chromium.org/blink/launching-features/isolated-web-apps/>). > > Similar to Unrestricted WebUSB, this API is granting access to devices > which we've made an explicit decision not to give to normal web sites. The > additional integrity provided by IWAs allows us to make a meaningful > decision that if access is granted to an app then the app's behavior is > well-known and cannot be compromised by common attack vectors. > > This API exists to support specific, mainly enterprise-focused, use cases. > On the broader web device-based authentication solutions such as WebAuthn > are more appropriate. > Reilly Grant | Software Engineer | [email protected] | Google Chrome > <https://www.google.com/chrome> > > > On Thu, Oct 2, 2025 at 6:39 AM Luke Klimek <[email protected]> wrote: > >> Contact emails >> >> [email protected], [email protected] >> >> Explainer >> >> https://github.com/WICG/web-smart-card/blob/main/README.md >> >> Specification >> >> https://wicg.github.io/web-smart-card >> >> Summary >> >> Enables smart card (PC/SC) applications to move to the Web platform. It >> gives them access to the PC/SC implementation (and card reader drivers) >> available in the host OS. >> >> >> Administrators can control the availability of this API either: >> >> >> - Globally—using the DefaultSmartCardConnectSetting policy. >> - Per-application—using the SmartCardConnectAllowedForUrls and >> SmartCardConnectBlockedForUrls policies. >> >> >> Blink component >> >> Blink>SmartCard >> <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3ESmartCard%22> >> >> Web Feature ID >> >> None >> >> TAG review >> >> This is an IWA-only API, and TAG has made it clear recently that they >> don't want to review IWA-related stuff. Relevant statement: >> https://github.com/w3ctag/design-reviews/issues/842#issuecomment-2917031448 >> >> TAG review status >> >> Not applicable >> >> Risks >> >> >> Interoperability and Compatibility >> >> Other browsers may choose to implement this API, that is however >> dependent on adoption of the Isolated Web Apps as a whole. >> >> Gecko: No signal >> >> WebKit: No signal >> >> Web developers: Positive ( >> https://github.com/WICG/web-smart-card/issues/43) >> >> Other signals: >> >> Security >> >> >> https://github.com/WICG/web-smart-card?tab=readme-ov-file#security-and-privacy-considerations >> >> >> https://wicg.github.io/web-smart-card/#security-privacy >> >> This is a highly security-sensitive API. This is why it is currently >> being guarded behind: >> >> 1. >> >> Isolated Web App installation (and also declaration of the >> `smart-card` permission policy in the manifest >> 2. >> >> Fine-grained user-facing permission mechanism that gives the end user >> control over the most privacy-sensitive moments (connection to a smart >> card >> reader). >> >> For more context on the permissions design and how it interacts with >> Chrome UI and enterprise policy see go/web-smart-card-api-permissions >> <http://goto.google.com/web-smart-card-api-permissions> (sorry, >> Googlers-only). >> >> WebView application risks >> >> Does this intent deprecate or change behavior of existing APIs, such that >> it has potentially high risk for Android WebView-based applications? >> >> None. >> >> >> Debuggability >> >> The code using this API can be debugged using the standard tools. >> Potential future improvement would be a new CDP domain to allow mocking >> system PC/SC to not rely on actual hardware. >> >> More design explorations at go/web-smart-card-api-cdp >> <http://goto.google.com/web-smart-card-api-cdp>, sorry, Googlers-only. >> Complexity of this endeavour however makes us defer this at least until >> cross-platform launch. This is a part of a broader effort to add WPTs to >> this feature: https://crbug.com/40275258 >> >> Will this feature be supported on all six Blink platforms (Windows, Mac, >> Linux, ChromeOS, Android, and Android WebView)? >> >> No. Underlying implementation highly depends on the system native PC/SC >> stack. ChromeOS is the first platform implemented. Also, IWAs themselves >> are not currently launched anywhere else. >> >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >> ? >> >> No. WPT does not support IWA test environments. Once that support is >> available, we can investigate adding IWA-focused WPT tests. Also, >> implementation also is highly complex, as the API depends on communication >> with the native system PC/SC and actual hardware. Future WPT >> implementation, tentatively planned for the cross-platform launch is >> tracked here: https://crbug.com/40275258 >> >> DevTrial instructions >> >> https://github.com/WICG/web-smart-card/blob/main/HOWTO.md >> >> Flag name on about://flags >> >> enable-smart-card-web-api >> >> Finch feature name >> >> SmartCard >> >> Rollout plan >> >> Will ship enabled for all users >> >> Requires code in //chrome? >> >> True >> >> Tracking bug >> >> https://bugs.chromium.org/p/chromium/issues/detail?id=1386175 >> >> Launch bug >> >> https://launch.corp.google.com/launch/4234437 >> >> Measurement >> >> UseCounters: >> >> >> 1. SmartCardEstablishContext: Entry point to the API overall. >> 2. SmartCardConnect: Entry point to actually using API for >> communication with smart card readers. >> >> >> Availability expectation >> >> API is available only in Chromium browsers for the foreseeable future—no >> other browser engine has yet displayed interest in implementing Isolated >> Web Apps, which are a prerequisite to this API. Initially API will be >> available on ChromeOS only, with intent to implement it elsewhere later (as >> Isolated Web Apps are launched on other platforms). >> >> Adoption expectation >> >> Expected to be used initially by a small number of developers inside >> Isolated Web Apps. >> >> Adoption plan >> >> Working directly with developers that are planning to rely on the API. >> >> Non-OSS dependencies >> >> Does the feature depend on any code or APIs outside the Chromium open >> source repository and its open-source dependencies to function? >> >> Yes. This API depends on the system-specific PC/SC implementation, as it >> is essentially a proxy to it. For the initial launch on ChromeOS, this >> extension is the sample provider that should be installed in Chrome for the >> API to function: >> https://github.com/GoogleChromeLabs/chromeos_smart_card_connector On the >> other platforms, we will probably add new dependencies (PCSC on Windows and >> PC/SC lite elsewhere) to the Chromium project itself. >> >> Sample links >> >> https://github.com/GoogleChromeLabs/web-smartcard-demo >> >> Estimated milestones >> >> Shipping on desktop >> >> 143 >> >> DevTrial on desktop >> >> 141 >> >> >> Anticipated spec changes >> >> Open questions about a feature may be a source of future web compat or >> interop issues. Please list open issues (e.g. links to known github issues >> in the project for the feature specification) whose resolution may >> introduce web compat/interop risk (e.g., changing to naming or structure of >> the API in a non-backward-compatible way). >> >> None. >> >> Link to entry on the Chrome Platform Status >> >> https://chromestatus.com/feature/6411735804674048?gate=4552874575527936 >> >> Links to previous Intent discussions >> >> Intent to Prototype: >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CA%2BenBd9j9Ucy-BKqfQSk9hZxVG6-qm4H6X3%3DxT9U86KpiOpKeA%40mail.gmail.com >> >> >> This intent message was generated by Chrome Platform Status >> <https://chromestatus.com/>. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CANLtwd0PyL0BsedCr%3Do3%2BXoTRHFRi5O9t9wygwDe_7vf9OhKNQ%40mail.gmail.com >> >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CANLtwd0PyL0BsedCr%3Do3%2BXoTRHFRi5O9t9wygwDe_7vf9OhKNQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/38cd8732-6094-4a4e-95f7-b2c6226a5047n%40chromium.org.
