WebApp installation via the browser

I have a question about Use Cases for Installable WebApps located at https://w3c-webmob.github.io/installable-webapps/. Under section "Add to Homescreen", the document states: ... giving developers the choice to tightly integrate their web applications into the OS directly from the Web br

Re: WebApp installation via the browser

On Fri, May 30, 2014 at 9:04 PM, Brendan Eich wrote: > Jeffrey Walton wrote: >> >> Are there any platforms providing the feature? Has the feature gained >> any traction among the platform vendors? > > Firefox OS wants this. Thanks Brendan. As a second related questio

WebApps and permission list?

I have a question about WebApps manifests and permissions. The page is part of Manifest for Web Applications located at http://www.w3.org/2012/sysapps/manifest/. The document provides a permission member and the following description: The permissions localizable member is a permissions obj

Re: [clipboard] Semi-Trusted Events Alternative

On Sat, Jul 26, 2014 at 9:19 AM, Perry Smith wrote: > Sorry if this is a lame question but I never understood the dangers of Copy > and Paste that the web is trying to avoid. Can someone explain that to me? > Its a point of data egress. You don't want sensitive information from one program scrap

Re: [clipboard] Semi-Trusted Events Alternative

On Sat, Jul 26, 2014 at 9:34 AM, Perry Smith wrote: > > On Jul 26, 2014, at 8:26 AM, Jeffrey Walton wrote: > >> On Sat, Jul 26, 2014 at 9:19 AM, Perry Smith wrote: >>> Sorry if this is a lame question but I never understood the dangers of Copy >>> and Past

Re: Blocking message passing for Workers

On Mon, Aug 11, 2014 at 7:52 PM, David Bruant wrote: > Le 12/08/2014 00:40, Glenn Maynard a écrit : > > On Sat, Aug 9, 2014 at 9:12 AM, David Bruant wrote: >> >> This topic is on people minds [1]. My understanding of where we're at is >> that "ECMAScript 7" will bring syntax (async/await keywords

Re: Proposal for a Permissions API

On Thu, Sep 4, 2014 at 4:24 PM, Florian Bösch wrote: > On Thu, Sep 4, 2014 at 10:18 PM, Marcos Caceres wrote: > >> This sets up an unrealistic straw-man. Are there any real sites that would >> need to show all of the above all at the same time? > > Let's say you're writing a video editor, you'd l

Re: PSA: publishing new WD of Clipboard API and events on Sept 18

On Mon, Sep 15, 2014 at 4:27 AM, Arthur Barstow wrote: > This is a heads-up Hallvord intends to publish a WD of "Clipboard API and > events" and he is targeting a publication date of September 18. The ED > > > > If anyone has any comments or c

Re: PSA: publishing new WD of Clipboard API and events on Sept 18

On Mon, Sep 15, 2014 at 5:26 PM, Hallvord R. M. Steen wrote: >>> >> Please forgive my ignorance. But I don't see a requirement that data >> egressed from the local machine to be protected with SSL/TLS. > > I can certainly add a note *encouragi

Re: PSA: publishing new WD of Clipboard API and events on Sept 18

ove the security concerns along with the feature set. [0] http://www.w3.org/TR/html-design-principles/#solve-real-problems [1] http://www.w3.org/TR/html-design-principles/#priority-of-constituencies [2] http://www.w3.org/TR/html-design-principles/#secure-by-design > On Sep 15, 2014 3:18 PM, &q

Re: [clipboard] Semi-Trusted Events Alternative

On Tue, Sep 16, 2014 at 5:30 AM, Hallvord R. M. Steen wrote: >... if we get it right we've enabled some more functionality > for web apps without too much nuisance and abuse - > if we get it wrong, we probably have to revisit this and > lock it down with site whitelists and such. Keeping in mind >

Re: What I am missing

On Wed, Nov 19, 2014 at 12:35 AM, Michaela Merz wrote: > Well .. it would be a "all scripts signed" or "no script signed" kind of a > deal. You can download malicious code everywhere - not only as scripts. > Signed code doesn't protect against malicious or bad code. It only > guarantees that the c

Re: =[xhr]

> I think there are several different scenarios under consideration. > > 1. The author says Content-Length 100, writes 50 bytes, then closes the > stream. > 2. The author says Content-Length 100, writes 50 bytes, and never closes the > stream. > 3. The author says Content-Length 100, writes 150 b

Re: The futile war between Native and Web

> In practice this has proved to be wrong although the reasons vary from lack > of standards for > the platform feature to support, I find there are two problems with browser based apps. First is the security model, and second is anemic security opportunities. For the first point, Pinning with Ov

Re: The futile war between Native and Web

On Mon, Feb 16, 2015 at 1:48 AM, Florian Bösch wrote: > On Sun, Feb 15, 2015 at 10:59 PM, Jeffrey Walton wrote: >> >> For the second point, and as a security architect, I regularly reject >> browser-based apps that operate on medium and high value data because >>

Re: The futile war between Native and Web

On Mon, Feb 16, 2015 at 2:15 AM, Florian Bösch wrote: > On Mon, Feb 16, 2015 at 8:09 AM, Anders Rundgren > wrote: >> >> Unfortunately this is wrong and is why I started this thread. Mobile >> banking applications in Europe are usually featured as "Apps". >> This has multiple reasons; one is that

Re: The futile war between Native and Web

On Mon, Feb 16, 2015 at 3:17 AM, Florian Bösch wrote: > On Mon, Feb 16, 2015 at 9:08 AM, Jeffrey Walton wrote: >> >> I'd hardly consider an account holder's data as high value. Medium at >> best and likely low value. But that's just me. > > Of course i

Re: The futile war between Native and Web

On Mon, Feb 16, 2015 at 11:19 AM, Anders Rundgren wrote: > ... > > You would anyway end-up with proprietary "AppStores" with granted "Apps" and > then I don't really see the point insisting on using web-technology anymore. > General code-signing like used in Windows application doesn't help, it is

Re: The futile war between Native and Web

On Mon, Feb 16, 2015 at 3:34 AM, Anne van Kesteren wrote: > On Sun, Feb 15, 2015 at 10:59 PM, Jeffrey Walton wrote: >> For the first point, Pinning with Overrides >> (tools.ietf.org/html/draft-ietf-websec-key-pinning) is a perfect >> example of the wrong security model. The

Re: The futile war between Native and Web

On Thu, Feb 19, 2015 at 12:15 PM, Anne van Kesteren wrote: > On Thu, Feb 19, 2015 at 6:10 PM, Jeffrey Walton wrote: >> On Mon, Feb 16, 2015 at 3:34 AM, Anne van Kesteren wrote: >>> What would you suggest instead? >> >> Sorry to dig up an old thread. >> >&

Re: The futile war between Native and Web

On Thu, Feb 19, 2015 at 1:44 PM, Bjoern Hoehrmann wrote: > * Jeffrey Walton wrote: >>Here's yet another failure that Public Key Pinning should have >>stopped, but the browser's rendition of HPKP could not stop because of >>the broken security model: >>ht

Re: The futile war between Native and Web

while > in transit; > > I believe both of those imperative necessities are achievable. > > Michaela > > > On 02/19/2015 01:43 PM, Jeffrey Walton wrote: >> On Thu, Feb 19, 2015 at 1:44 PM, Bjoern Hoehrmann wrote: >>> * Jeffrey Walton wrote: >>>>

Re: The futile war between Native and Web

On Thu, Feb 19, 2015 at 4:31 PM, Anne van Kesteren wrote: > On Thu, Feb 19, 2015 at 10:05 PM, Jeffrey Walton wrote: >> For what its worth, I'm just the messenger. There are entire >> organizations with Standard Operating Procedures (SOPs) built around >> the stuff I&#x

Re: Fingerprinting Guidance for Web Specification Authors

On Tue, Dec 1, 2015 at 11:52 AM, Arthur Barstow wrote: > Editors, All - please see "Fingerprinting Guidance for Web Specification > Authors" > and reflect it in your spec, accordingly. Tracking can be a tricky problem because it o