On 5/12/2012 1:14 PM, Ian Hickson wrote:
On Sat, 12 May 2012, Anant Narayanan wrote:
There are clear differences in perception between an app and a website
for most users. Most web content is expected to be free, but the same
content wrapped in an app is something people seem to be willing to pay
for. Monetization is important to encourage a thriving web developer
community.
I don't think it makes sense to use a technical solution to a
non-technical problem.
The proposed spec is not the solution, but rather forms the technical
basis for the actual solution which is to build an app ecosystem around
web technologies. It is futile to try and educate users of how the web
*really* works, and thus we must move to terminology and conventions
that they already know and understand (purchase/install apps from stores).
Additionally, treating certain "installed" websites as apps gives us a
context separate from loading pages in a browser, which allows us to
provide privileged APIs to such trusted apps, APIs we would normally not
give to untrusted web content.
Desktop operating systems have demonstrated over a period of many years
that this approach simply doesn't work. Users find it very difficult to
understand what it means to "trust" an app. The Web's security model is
IMHO significantly superior than any of the "app" security models we have
seen in "native" operating systems, as demonstrated by the way that when
malware is written to the "app" model it has to be dealt with by curating
the application market space, whereas when malware is written to the Web
model it is almost always because of errors in the design or
implementation of the Web platform that, once fixed, preclude any similar
attack from being performed again.
The "installation" security model of asking the user up-front to grant
trust just doesn't work because users don't understand the question, and
the "installation" security model of curating apps and trying to determine
by empirical examination whether an application is trustworthy or not just
doesn't scale.
We are not suggesting that a web app be automatically given privileges
simply on the virtue of being installed. Untrusted "installed" apps are
no different from any web page in that regard. Neither are we suggesting
that all permissions be asked up-front. For some APIs it makes sense to
ask up front, for others, run-time is more appropriate. The real
security comes from curated stores, ratings, signed apps, pro-active
take-downs and many other such measures.
The main point is that creating a layer of trust beyond what we have for
web pages allows such privileges to be granted to a set of apps that
meet certain criteria. We are discussing the security model for each
type of API in detail on the dev.webapps list [1], but the general idea
is to categorize every API into one of three "buckets":
Regular content (unauthenticated web pages and apps)
Trusted content (apps authenticated by publisher)
Certified content (apps vouched for by trusted 3rd party)
Apps in a curated store fall in the 2nd category, whereas sensitive apps
like the dialer on a phone would fall into the 3rd category because they
are, for example, pre-bundled and signed. A regular web app that simply
adds an install button to their page would fall in the first category.
The real value to such a system is on mobile devices rather than
desktops. The fact remains that most users spend less time in a browser
than in an app when they are using a phone or tablet. The open web
platform needs to regain some of that lost attention.
Regards,
-Anant
[1]
https://groups.google.com/group/mozilla.dev.webapps/browse_thread/thread/52d86024cbfd0da6
