Re: [w3ctag/design-reviews] TAG review for web app `scope_extensions` (Issue #875) from Daniel Murphy on 2024-07-08 (public-webapps-github@w3.org from July 2024)

From: Daniel Murphy <notifications@github.com>
Date: Mon, 08 Jul 2024 10:17:37 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/875/2214751752@github.com>

I agree that it's not great, but this is unfortunately a requirement due to the existing way the web is set up. The Zoom use-case is the best example here, but other companies are set up similarly:

- The Zoom web app is at `https://app.zoom.us/`
- Each organization that contracts Zoom has a custom sub-domain, like "https://mycompany.zoom.com"
- Zoom wants to just have one app that can be used for any organization, where the use would use the same app to join zoom calls with any organization they are part of or given a meeting link to.
- Without the same-site capability, zoom would need to list every single company they contract with in their manifest in their manifest, which is both a infeasible size issue and a privacy / data leak issue for them (and host a `web-app-origin-association` file in each of those domains).

So unfortunately allowing an organization / entity to say "any urls in this site can be considered part of my app" is a required use-case here that we can't remove :(

This is one of the reasons feature is very tightly scoped to just the 'scope' evaluation of a web app (e.g. what pages can be considered as part of this app, owned by the same company / entity). This matches what 'same-sites' mean - including the registrable domains check. In the last TAG meeting this was actually brought up as a potential issue - being too tightly scoped. However due to this same-site check this is one of the reasons it was kept as such a tight scope - no other feature should be able to use this.

So then there are two questions at the end of this:
- Is this same-site check something that seems ok as it's so narrowly used for just this specific feature?
- Does the rest of the API seem OK, for the other use cases that don't need same-site and only need origin checks?

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/875#issuecomment-2214751752
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/875/2214751752@github.com>

Received on Monday, 8 July 2024 17:17:41 UTC