- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Tue, 17 Feb 2015 19:40:14 +0100
- To: public-webapps <public-webapps@w3.org>, sysapps <public-sysapps@w3.org>
Although I still prefer native messaging, here is a more complete proposal for a webish solution: http://webpki.org/papers/trusted-web-apps.pdf Anders On 2015-02-17 06:32, Anders Rundgren wrote: > For those who frown at the idea of calling native (trusted) applications from the untrusted web [1], > here is a writeup of how you could run trusted web-code inside of a untrusted web-application. > > Regarding the use-cases, there are many ranging from phone-dialers on support pages to payments [2]. > > Since you probably do not want to rewrite browsers from scratch, the most logical > is building on running trusted code in IFRAMEs so that the existing protection scheme > can be reused. The difference with existing IFRAMEs is that the code must be trusted > by the platform which also means that it must be fetched from the platform: > > <iframe trustedapp="com.example.PaymentRequest" ... ></iframe> > > This code should appear to the browser as coming from a virtual domain. > The only communication possible is through postMessage(). > > If the referenced application isn't available in the local cache, the browser should presumably > consult the device-specific "AppStore". > > A side-effect of this "specification" is that trusted web-applications may be device-specific which > actually is a plus since it reduces the need to standardize access to the OS and HW layer. > > That is, there could be a new class of standardized trusted web-applications where only > the invoke/postMessage part is standardized! > > Cheers, > Anders Rundgren > > 1] https://lists.w3.org/Archives/Public/public-web-intents/2015Feb/0000.html > > 2] Although not entirely compliant with the above, the following demo > https://mobilepki.org/WebCryptoPlusPlus > does the same thing from a user's perfective. >
Received on Tuesday, 17 February 2015 18:41:06 UTC