W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2011

Re: Widgets & ApplicationCache

From: Charles Pritchard <chuck@jumis.com>
Date: Fri, 16 Sep 2011 09:31:01 -0700
Message-ID: <4E7379C5.7020202@jumis.com>
To: Dominique Hazael-Massieux <dom@w3.org>
CC: Marcos Caceres <marcosscaceres@gmail.com>, public-webapps@w3.org
On 9/16/11 8:00 AM, Dominique Hazael-Massieux wrote:
> Le vendredi 16 septembre 2011 à 21:36 +0700, Marcos Caceres a écrit :
>>> I think they are actually not so different, and share many use cases.
>> Ok, I strongly object in the strongest of terms to them being put together and I'm more than happy to debate any argument you might have for lumping them together. Here we go :)
> http://www.w3.org/2011/web-apps-ws/

Dominique is not the only one to be wondering about the distinction.

I've been watching Google implement their .crx packaging mechanism over 
the past year and a half:
in that time, they've not reconciled the two distribution strategies any 
further.

Hosted apps, still, are what we are looking at for distribution. A 
hosted app consists of a very
simple permissions manifest (title, author, url, permissions requested) 
and for efficiency and offline use, a website that implements 
applicationCache.

Google has also, for some time, carried a development flag "CRX-less Web 
Apps - Enables support for installing Chrome apps that are deployed 
using a manifest file on a webpage, rather than by packaging the 
manifest and icons into a crx file.".

This brings packaging even closer to the applicationCache model.

As a developer, I'd like to see a little bit of both: I'd like to be 
able to ship all of my content in a Widget, to save myself the use of 
bandwidth, but allow the application to be updated via applicationCache 
mechanisms.


>>> ApplicationCache can be used to group a bunch of HTML, CSS and JS files
>>> that constitue an "installable application" (e.g. the way the iOS safari
>>> browser let you save to your homescreen an offline Web app when an
>>> application cache is present).
>> I'm sorry, but that has absolutely nothing to do with Application cache. It's done like this:
>>
>> <link rel="apple-touch-icon" href="/icon.png">
> Sure, that bits helps for having an icon on the homescreen; it's fair to
> say that rel="apple-touch-icon" (and its standard equivalent rel="icon"
> with the sizes attribute) completes ApplicationCache in matching the
> features that widget packaging provides.
>
> But without the application cache, your nice and shiny icon won't load
> anything if you're not connected;<link rel="apple-touch-icon">  is the
> equivalent to<icon>  in config.xml, where ApplicationCache is the list
> of files encoded in the Zip file.

It's also quite similar to favicon.

Favicon sure has had a long run. It's becoming even more widely used, with
browser home screens turning into application-launcher screens.

There are so many ways we need to package icons now. Google and Apple 
platforms
ask for a whole collection of them in different sizes.

I tell you, as absurd as it may be, a css media type of "icon" is 
closing in on us.


>>>> ApplicationCache is cache control thing: it does not "package" a Web
>>>> Application; just makes some resources available from the cache
>>>> (potentially for off-line use). The end user has not control over it
>>>> and the author can shut it off at any point.
>>>
>>> The end user *could* have control over it if the user agent let her (the
>> But the user agent doesn't let her, because he is mean. And I don't
>> think that is the way the spec was written (though I need to check).
>> But I doubt the spec says anything about that, as it seems the author
>> is king in that situation.
> I agree that the widget specs say a lot more on application management
> than ApplicationCache (which more or less only deals with updates and
> connectivity); but the applicationcache spec certainly doesn't forbid
> user agents to do smart things with it, as the iPhone implementation
> shows.
>
> As far as I know, (at least) Mozilla is working on "saving as Web
> application", and I would be extremely surprised if they didn't use the
> applicationcache when available to do that.

I expect the same. When/if a user decides that a web application is 
-important- to them, they do grant it additional permissions, such as 
increasing file storage limits (or perhaps, duration of the temporary 
file system). That method seems to be working, and preferred, for most 
use cases.

I know that one of our apps asks for "access to everything you have ever 
done" -- It could be more granular, if mechanisms were in place... 
Asking for things like CORS exceptions.

Whether packaged as a widget, or distributed via applicationCache, there 
is the question of automatic updating, and how to handle all of that. 
I'm certainly more pleased with Google Chrome's automatic updating 
feature than I am with the bi-weekly (I kid) updates pushed out by 
Oracle for Java, interrupting my day to remind me that Java is installed 
on my OS.

I think "updating" ought to be looked at from a permissions perspective. 
As a user, I'd like to be able to say: keep this app cache, no matter 
what. That'd let me lock-down some systems from man in the middle 
attacks, once the app is installed. Considering recent SSL breaches, 
it's a reasonable use case.


>>> same way a widget user agent could also automatically remove widgets
>>> that their authors wish to retract).
>> There is no provision in any of the specs to do this. Certainly not by design, unlike HTML5.
> Right; but knowing how application stores tend to have a remove-this-app
> switch, I'd be surprised if many applications stores based on widgets
> didn't have a similar ability.
>

It looks like this is all about permissions. implicit, explicit and managed.


>>>   And
>>> an application cache could also have a widget as part of its list of
>>> cacheable resources.
>> Sure, they could have bananas too and all sorts of hypothetical things too. But they don't.
> Right, because that's not terribly useful. But you brought the fact that
> one technology could embed the other, I didn't.

I'd like this. Something like a new field type in application cache
documenting a widget by cryptographic hash, and documenting
which files in the application cache are not necessary, if that widget 
is installed.

It'd be just as useful for shared libraries as it would for mixing packaged
and unpackaged widgets.

>>>>   It can be used for defining other classes of applications and formats
>>>> (e.g., Opera Extensions).
>>>
>>> I can also imagine using ApplicationCache to do that.
>> You have a wild imagination :) I'm sure there is a good reason why no
>> one has done it.
>>
>>   In any case, the document is discussing concrete things, not
>> imaginary things.
> Right; the document is not discussing the fact that widgets can also be
> used for creating browser extensions, or providing server-side lump of
> content. It's discussing packaging web applications for offline usage.

 From watching Google, I can see that they are trying to take extra 
precautions on hosted vs. packaged widgets. Hosted are very much like 
applicationCache, with a sprinkling of permissions.

There are some high-security items where they only allow packaged apps 
to access sensitive APIs. But even some of those are gradually being 
pushed into the hosted apps realm. Web Intents is a good example. On 
Chrome OS, the user can install a widget which can register itself as a 
file handler, by file type. They only allow this for packaged 
applications. But, Web Intents is working on this use case, and will 
extend that functionality to hosted applications.


>>   Please base the document on real world things, not on things you
>> imagine.
> I don't think I'm imagining that both widgets and applicationcache
> provide a way to package Web applications for users. At least, you still
> haven't convinced me that they don't.
>

I hope my real world examples are a help, here.

>>> Widgets and ApplicationCache differ in some ways (e.g. the security
>>> model of widgets is different, widgets currently don't have an origin,
>> The do have an origin! It's called widget:// and it's an completely
>> conforming origin: Please look up the definition of origin in the
>> HTML5 spec.
> Indeed, my mistake.

Well you know, on the web today, it's typically called chrome:// and 
chrome-extension://.
It's an easy mistake to make.


-Charles
Received on Friday, 16 September 2011 16:31:33 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:47 GMT