For those who frown at the idea of calling native (trusted) applications from the untrusted web , here is a writeup of how you could run trusted web-code inside of a untrusted web-application.
Regarding the use-cases, there are many ranging from phone-dialers on support pages to payments . Since you probably do not want to rewrite browsers from scratch, the most logical is building on running trusted code in IFRAMEs so that the existing protection scheme can be reused. The difference with existing IFRAMEs is that the code must be trusted by the platform which also means that it must be fetched from the platform: <iframe trustedapp="com.example.PaymentRequest" ... ></iframe> This code should appear to the browser as coming from a virtual domain. The only communication possible is through postMessage(). If the referenced application isn't available in the local cache, the browser should presumably consult the device-specific "AppStore". A side-effect of this "specification" is that trusted web-applications may be device-specific which actually is a plus since it reduces the need to standardize access to the OS and HW layer. That is, there could be a new class of standardized trusted web-applications where only the invoke/postMessage part is standardized! Cheers, Anders Rundgren 1] https://lists.w3.org/Archives/Public/public-web-intents/2015Feb/0000.html 2] Although not entirely compliant with the above, the following demo https://mobilepki.org/WebCryptoPlusPlus does the same thing from a user's perfective.