Re: Sysapp Runtime: Hosted App from Janusz Majnert on 2013-07-04 (public-sysapps@w3.org from July 2013)

From: Janusz Majnert <j.majnert@samsung.com>
Date: Thu, 04 Jul 2013 09:03:55 +0200
To: public-sysapps@w3.org
Message-id: <51D51E5B.9090904@samsung.com>
On 2013-07-03 18:23, SUWIRYA Darmawan wrote:
>
> Hi,
>
> We would like to request for clarification regarding Hosted App type.
>
> Use case example.
>
> Part #1 :
>
> 1. My-App is a hosted app, hosted at www.my-app.com 
> <http://www.my-app.com>.
>
> 2. It hosts the manifest.webapp under www.my-app.com/manifest.webapp 
> <http://www.my-app.com/manifest..webapp>.
>
> 3. In its manifest, it asks for permission to access Contact API.
>
> 4. User opens Firefox BROWSER, go to www.my-app.com 
> <http://www.my-app.com> for the very first time.
>
> 5. What should happen here ?
>
>     A. Will it parse and check the manifest.webapp - and :
>
>          A.1. offer user choice to install ?
>
>          A.2. or, offer user choice to grant a ONE TIME permission to 
> access Contact API ( valid for this session only ) -- without install ?
>
>          A.3. or, offer user both choices above ?
>
>          A.4. or, will it force to automatically trigger install ?
>
>     B. Or will it ignore existence of manifest.webapp there, and will 
> just run it as traditional web app -- and :
>
>          B.1. simply failed on the page where the Contact API is used ?
>
>          B.2. or will it popup for permission request on the page 
> where the Contact API is used ?
>
I think that the Group agreed that access to sensitive APIs will only be 
granted to installed applications, which means that if the user chooses 
to install the application in point 5.A.1 and the UA deems the 
application trustworthy enough to access the requested API, then the 
application will be able to use it. This is however not explicitly 
stated in the runtime spec and should be somehow fixed.

> Part #2 :
>
> 1. This time, let's say that user has already had My-App installed.
>
> 2. User opens Firefox BROWSER, go to www.my-app.com 
> <http://www.my-app.com>.
>
> 3. What should happen now ?
>
>      A. Will it launch the already installed My-App out-of-browser as 
> standalone app ?
>
>      B. Will it continue running www.my-app.com 
> <http://www.my-app.com> in the browser ?
>
>           B.1. and automatically inherit the permission to access 
> Contact API that's already granted for the previously installed My-App ?
>
> We think it would be best if we could expect to have A.3 and B.1. 
> mentioned above as the behavior.
>
> Can we expect to have this kind of clarification to be explicitly 
> mentioned somewhere in the runtime spec as well ?
>
I don't know how FxOS handles this situation. In Tizen the browser and 
runtime are separate entities, the browser may initiate installation of 
a hosted application, but to actually use it, it needs to be run in the 
runtime. So for Tizen the answer would be B (without B.1).

Regards,
Janusz Majnert
Samsung R&D Institute Poland
Samsung Electronics
Received on Thursday, 4 July 2013 07:04:28 UTC