Re: [w3ctag/design-reviews] TAG review for web app `scope_extensions` (Issue #875) from Daniel Murphy on 2024-04-02 (public-webapps-github@w3.org from April 2024)

From: Daniel Murphy <notifications@github.com>
Date: Tue, 02 Apr 2024 09:10:55 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/875/2032471170@github.com>

Voicing support for `scope_extensions` here from Google. This is a very important use-case for web developers trying to enable app experiences on the web platform, and comes from how organizations don't use just a single origin for their product.

Feedback from @torgo: I believe this is already scoped very tightly:
- This only affects logic that asks if a given url is "in-scope" of an app. This is done currently in one place - when we choose whether or not to show the toolbar in web apps showing an 'out of scope' origin. Please see how this works with this [site](https://noon-stream-music.glitch.me/) - if you install this site in Chrome or Edge, clicking on either of those links will demonstrate this toolbar. With scope extensions, the 'secondary' link will no longer show that toolbar.
- There is a two-way handshake here, demonstrating the ownership of both origins here by the app entity.
- This does NOT show content from one origin on another origin. When opening the url here back in Chrome or Edge, all is correct.

Illustrative example:
- Zoom is at www.zoom.com
- Zoom has an app installed there, the manifest entity is rooted to that origin (start_url / manifest_id are at that origin).
- Zoom also owns all other *.zoom.com subdomains, and each organization gets a subdomain.
- Currently, all zoom links for customers, when opened in the app, show the toolbar.
- This feature allows them to assert they own these subdomains and the manifest entity can consider those "in-scope", and not show that toolbar for their owned subdomains or other origins they own.

Feedback for @cynthia:
- The identifier here is [spec'd](https://www.w3.org/TR/appmanifest/#id-member) and comes from the manifest entity of the app.
- This uniquely identifies the app, and the 'origin' part of the identifier MUST match the origin of the document that links to this manifest.
- This means that it is impossible for an app to replicate an identifier for an origin they do not own. For an identifier to be 'https://www.a.com/id', this MUST have been from a document on that origin that has a manifest link (like `<link rel="manifest" href="manifest.json" />`) to a manifest to create that manifest entity. We can talk more about parsing options here, but the main guarantee here is that origin must match the document origin.
- Thus - it is safe to assume that specifying an identifier here with a given origin means that the app referenced there must be tightly coupled to that origin, and was defined by & linked from a document on that origin.

More abstractly - the feature is communicating & verifying 'what other origins are part of this app', so the user agent can work for the user accordingly.

--
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/875#issuecomment-2032471170
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/875/2032471170@github.com>

Received on Tuesday, 2 April 2024 16:10:59 UTC