Re: Making Web Apps first class citizen

• From: Tobie Langel <tobie@w3.org>
• Date: Mon, 11 Mar 2013 13:31:46 +0100
• To: Robin Berjon <robin@w3.org>
• Cc: Dominique Hazael-Massieux <dom@w3.org>, Frederick.Hirsch@nokia.com, public-closingthegap@w3.org
• Message-ID: <DD64935FE91C42EA80135E484939A334@w3.org>

On Monday, March 11, 2013 at 12:20 PM, Robin Berjon wrote:
> On 08/03/2013 17:01 , Tobie Langel wrote:
> > On native, this experience is terrible. For example, it is common
> > that I receive an email notification that someone posted something I
> > care about on Facebook. I click the link from my native mail client.
> > This opens up the browser. I'm not logged in to Facebook on the
> > browser, so I now manually navigate to the FB app. I go through the
> > notifications there, find the one I care about. Click on it. I'm
> > taken to the relevant part of the FB app, only to find out this was
> > actually a tweet. So I click on it. I'm now within the in-app browser
> > of the Facebook app, in Twitter. I want to reply. I'm of course not
> > logged in to Twitter there. So I open up the link in the browser,
> > where I hope to be logged in to Twitter.
> 
> So, a big part of the issue you're seeing there is that you're using 
> iOS. I don't mean this as a jab, it really is an architectural weakness. 
> The flow you describe is far more sensible on any platform that has 
> something like intents and URL interception.

Fair enough. Will consider using an Android as primary device for a little while.
> You need more than shared cookie jars for this. You want links to a 
> given origin to be interceptable by an installed application from that 
> origin.

Sure. The App controller in Alex Russell's AppCache proposal would fill in that role quite nicely, don't you think?
> Shared cookie jars are annoying. I want to stay logged into my Twitter 
> client but I don't want to send identifying cookies on every site that 
> features a "Tweet this" button.

You're not sending cookies across origins, Twitter is passing this information on your behalf. So what you want is either policy that lets you opt-out of such a practice (e.g. DNT) or technology that lets you manage when you're logged in and when you're not based for example on whether the window is top-level or in an iframe (so basically an important overhaul of the way security is handled on the Web).
> We have simple solutions that are 
> superior, and we should use them.

Are we expecting these solutions to gain significant traction within a reasonable timeframe? Are we doing anything to help with this?

--tobie

Received on Monday, 11 March 2013 12:31:50 UTC