W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2010

Re: Widgets - WARP, Widgets Updates and Digital Signatures

From: Marcos Caceres <marcosc@opera.com>
Date: Thu, 16 Sep 2010 17:58:18 +0200
Message-ID: <AANLkTi=27tUDHZz4ZGsv-bTou_MO1kSKf+FdRhEAKRfY@mail.gmail.com>
To: nathan@webr3.org
Cc: "Nilsson, Claes1" <Claes1.Nilsson@sonyericsson.com>, "Frederick.Hirsch@nokia.com" <Frederick.Hirsch@nokia.com>, "public-device-apis@w3.org" <public-device-apis@w3.org>, public-webapps <public-webapps@w3.org>
On Thu, Sep 16, 2010 at 1:42 PM, Nathan <nathan@webr3.org> wrote:
> cc: public-webapps
>
> Hi Claes,
>
> Nilsson, Claes1 wrote:
>>
>> Hi Nathan,
>>
>> Thanks for clarifying your proposal.
>>
>> I interpret you so that you are proposing standardization of a general
>> concept of "packaged and installed web applications". Something like
>> http://code.google.com/chrome/apps/docs/index.html plus additional features
>> from widgets specifications.
>>
>> This is something that can have a value by several reasons, for example:
>> * Whole application package or only manifest/configuration file could be
>> digitally signed.
>> * Permission to use APIs could be given at installation time.
>> * Manifest/configuration file could define network access limitations.
>> * Web application marketing/deployment/charging advantages.
>> I agree that the specifications you mention are applicable for a general
>> concept of "packaged and installed web applications" but I believe that
>> currently most people have the view that "widgets" are "packaged and
>> installed web applications" that run small "live" applications on the home
>> screen. However, what does the widgets specifications actually say? I
>> haven't digged into the documents in detail but are they not already
>> enabling a general concept of "packaged and installed web applications"?
>> So far there has been a distinction between "browser", running dynamic
>> content on web sites and "widget user agent", running installed web widgets.
>> Reading you original mail in this thread you say:
>> " Simply wondering why WARP, Widgets Updates and Digital Signatures aren't
>> used to deploy js applications which run in the main browser context?".
>>
>> So, what are you actually proposing?
>>
>> * Update to HTML5 to support "packaged and installed web applications" in
>> the "main browser context"?
>> Plus
>> * Updates to the Widgets specifications to enable the more general concept
>> of "packaged and installed web applications"?
>
> I'm proposing something before that, to consider whether "packaged and
> installed web applications" should be considered and if it would be viable +
> gain support from the main browser vendors, then to look at exactly how. I'd
> loosely suggest that the work done on the Widgets specifications could be
> re-used, forked or even that the Widgets specifications were re-scoped to
> general client side web applications and aligned with the other work being
> done within web-apps, html5 and device-apis. Ultimately it just seemed to me
> like much of the heavy lifting has already been done under the banner of
> widgets.

I thought that is what we had done already? I don't get it.

>> Furthermore, do we really want "packaged and installed web applications"
>> to run by the same user agent, i.e. the normal browser as normal website
>> based web applications? We may want to have different "user agent chromes"
>> depending on type of web application.
>
> Personally, yes, being able to make applications using a suite of
> standardized languages and APIs with near universal deployment on a core set
> of rapidly evolving runtimes, really, really, appeals :) I wouldn't suggest
> that the scope be limited to user agent (ie browser vendors) only, but they
> are the obvious target for most applications in the first instance.

As above. I thought that was what we (Web Apps WG - Widgets) have been
doing for the last 5 years?

>> Best regards
>>  Claes
>>
>>> -----Original Message-----
>>> From: Nathan [mailto:nathan@webr3.org]
>>> Sent: den 8 september 2010 18:27
>>> To: Nilsson, Claes1
>>> Cc: Frederick.Hirsch@nokia.com; public-device-apis@w3.org
>>> Subject: Re: Widgets - WARP, Widgets Updates and Digital Signatures
>>>
>>> Hi Claes,
>>>
>>> I think the main thing that's missing from the proposal is context :)
>>>
>>> With the advent of client side persistence solutions and ever
>>> increasing
>>> device/browser capabilities, it's now possible to make 100% client side
>>> js applications which run in the browser, everything from small games
>>> and micro-blog clients right up to full document/image editors. There
>>> is
>>> a strong shift in this direction from many corners of the web.
>>>
>>> Currently application developers can choose between:
>>>  (1) hosting the client side application on a 'website'.
>>>  (2) creating a vendor specific 'extension'.
>>>
>>> When really, what we all want/need is to be able to 'install' an
>>> application which runs in the main browser context (i.e. can be used
>>> off
>>> line, can be packaged as an application, can be signed, can contain an
>>> access request policy).
>>>
>>> You might think of this as cross between a Mozilla Prism, browser
>>> extensions, widgets and traditional web applications. Universal web
>>> applications that can run on any device.
>>>
>>> To my untrained eye, it appears that virtually everything needed to
>>> take
>>> a series of scripts & resources and wrap them up in a manner similar to
>>> extensions is already spec'd out in the various widget specifications.
>>> Everything needed to run the applications universally is already
>>> provided by any user agent on any device that implements
>>> js/html/web-apps/device apis.
>>>
>>> Thus, the suggestion to scope using the widgets specifications as a way
>>> to package all this up and give the world universal web applications
>>> which run on any device and provided the needed
>>> packaging/signing/access-request/update side of things.
>>>
>>> Best,
>>>
>>> Nathan
>>>
>>> Nilsson, Claes1 wrote:
>>>>
>>>> Hi,
>>>>
>>>> Assuming I don't misunderstand the proposal/questions I would say:
>>>>
>>>> * WARP: Might work for main browser context?
>>>>
>>>> * Digital Signatures for Widgets: I guess that using "Digital
>>>
>>> Signatures for Widgets" for normal web application running in the
>>> browser wouldn't work as this specification assumes signing of an
>>> installed package. For web applications running in main browser context
>>> the corresponding specification is xmldsig
>>> (http://www.w3.org/TR/xmldsig-core/), that makes it possible to sign
>>> defined parts of web content. However, as far as I know this
>>> specification has not been much implemented as it is considered
>>> complicated. Don't know any details.
>>>>
>>>> * Widgets Update: Don't see the meaning of this for browser context
>>>
>>> as this specification assumes an installed package.
>>>>
>>>> Regards
>>>>  Claes
>>>>
>>>>> -----Original Message-----
>>>>> From: public-device-apis-request@w3.org [mailto:public-device-apis-
>>>>> request@w3.org] On Behalf Of Frederick.Hirsch@nokia.com
>>>>> Sent: den 7 september 2010 20:24
>>>>> To: public-device-apis@w3.org
>>>>> Cc: Frederick.Hirsch@nokia.com; nathan@webr3.org
>>>>> Subject: Fwd: Widgets - WARP, Widgets Updates and Digital Signatures
>>>>>
>>>>> Forwarding with permission .
>>>>>
>>>>> What do you think of this approach?
>>>>>
>>>>> regards, Frederick
>>>>>
>>>>> Frederick Hirsch
>>>>> Nokia
>>>>>
>>>>>
>>>>>
>>>>> Begin forwarded message:
>>>>>
>>>>>> From: ext Nathan <nathan@webr3.org>
>>>>>> Date: September 3, 2010 1:52:26 PM EDT
>>>>>> To: public-webapps <public-webapps@w3.org>
>>>>>> Subject: Widgets - WARP, Widgets Updates and Digital Signatures
>>>>>> Reply-To: "nathan@webr3.org" <nathan@webr3.org>
>>>>>>
>>>>>> Hi All,
>>>>>>
>>>>>> Simply wondering why WARP, Widgets Updates and Digital Signatures
>>>>>
>>>>> aren't
>>>>>>
>>>>>> used to deploy js applications which run in the main browser
>>>
>>> context?
>>>>>>
>>>>>> seems like a nice solution that would work webscale, and which
>>>
>>> would
>>>>>>
>>>>>> provide further user security, identification of trusted apps and
>>>>>
>>>>> cover
>>>>>>
>>>>>> the other half of CORS which is informing and protecting the user.
>>>>>>
>>>>>> Perhaps one of the vendors has already implemented in the main
>>>>>
>>>>> context?
>>>>>>
>>>>>> Best,
>>>>>>
>>>>>> Nathan
>>>>>>
>>>>
>>>>
>>
>>
>>
>
>
>



-- 
Marcos Caceres
Opera Software ASA, http://www.opera.com/
http://datadriven.com.au
Received on Thursday, 16 September 2010 15:59:15 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:40 GMT