Re: [w3ctag/design-reviews] MiniApp Lifecycle (#523)

> Does this mean that an intermediary (the MiniApp platform) gets to sign off on the MiniApp's origin? I have some grave concerns about that approach. Have you considered adapting a model where the intermediary is only a delivery mechanism, such as what was done in exchanges?

I guess we have different understanding of origin in the context of MiniApp. 

"its hosted Super App or OS will check the origin of the MiniApp". Here, I think the "origin" might cause some confusion. The more suitable description is "hosted Super App or OS will check the validity of the MiniApp's request URL domain".

In detail, in the first step, MiniApp developer need to submit its MiniApp domain along with the MiniApp package to the backend MiniApp platform, which is provided by the hosted Super App or OS vendors. The MiniApp platform will check and determine whether the MiniApp domain can be permitted. If permitted, the MiniApp domain can be registered. This part is more like a business policy, which is out scope of MiniApp standard.

Then, when a MiniApp is firstly launched, its hosted Super App or OS will download the MiniApp package from the backend MiniApp platform. And the MiniApp runtime is responsible for checking the validity of MiniApp's request URI domain. If the domain has been registered in the MiniApp platform, then a WebView will be called to open and render the new page identified by the request URI. Same-origin Policy is handled by WebView.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/523#issuecomment-1102645999
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/523/1102645999@github.com>

Received on Tuesday, 19 April 2022 13:23:32 UTC