Re: Privileged and certified-level app, was Re: Clarity over direction of work on runtime and security model? from Marcos Caceres on 2013-10-04 (public-sysapps@w3.org from October 2013)

From: Marcos Caceres <w3c@marcosc.com>
Date: Fri, 4 Oct 2013 09:11:41 +0200
To: Kostiainen, Anssi <anssi.kostiainen@intel.com>
Cc: "public-sysapps@w3.org" <public-sysapps@w3.org>, Nilsson, Claes1 <Claes1.Nilsson@sonymobile.com>, Kenneth Rohde Christiansen <kenneth.christiansen@gmail.com>, Dave Raggett <dsr@w3.org>, Isberg, Anders <Anders.Isberg@sonymobile.com>
Message-ID: <C8ADDAE6984E4FA28DE14760062A07F3@marcosc.com>

On Wednesday, October 2, 2013 at 1:44 PM, Kostiainen, Anssi wrote:

> On Sep 25, 2013, at 1:48 PM, Marcos Caceres <w3c@marcosc.com (mailto:w3c@marcosc.com)> wrote:
> 
> [...]
> 
> > This means that, from the get-go, certified and privileged packaged apps cannot be shared across runtimes in an interoperable manner (without replacing the signature, which kinda defeats the purpose).
> > 
> > Question for the SysApps WG is: do we want to attempt to standardise a digital signature scheme for packaged apps?
> 
> A follow up question to the group, assuming digsig is scoped out:
> 
> What is the problem the group would like to solve by standardizing "unsigned" packaged apps that is not solved by "hosted apps" (for the sake of a better word) and ServiceWorkers (that will hopefully address the offline problem)?

There is probably not much. Packaged apps are  useful for products like PhoneGap and Blackberry WebWorks (that are then built/compiled to run on native platforms) - both PhoneGap and Blackberry already use W3C Widgets, so it would just be reinventing the wheel to re-standardize packaged apps. Guys from Adobe and Blackberry can correct me if I'm wrong, but it seems Widget's XML format is serving their platforms just fine.  

Adding the ability to define an origin for an application ("e.g., <origin host='com.foo.bar'>") solves the only real outstanding issue for packaged apps: being able to work with CORS-enabled services. This then causes the Origin HTTP header to be: 

Origin: app://com.foo.bar 

(or whatever the developer wants). 

Adding support for CSP tightening (and defining packaged apps in terms of CSP) is a nice to have - specially if developers can control this.     

Personally I think we should kill the idea of a "hosted app" too. Segregating the Web into types of Web apps seems very unhelpful and risks creating badness: some apps may only work if installed, when they should work regardless in all browsers (including legacy ones). 
> It seems the runtime-related bits on which to reach consensus on are:
> 
> * App Manifest
Right - and this includes if we really need one. And if we do, what purpose it serves, what is/is-not covered by HTML, etc.    
> * App Lifecycle and Events
> 

This affects the Web at large so whatever we come up with, we need to make sure this is a browser solution (not a hosted apps, packaged apps thing).   
> * ServiceWorkers
> 

Nice to tie into the above.

Received on Friday, 4 October 2013 07:12:07 UTC