W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2010

Re: Widgets - WARP, Widgets Updates and Digital Signatures

From: Marcos Caceres <marcosc@opera.com>
Date: Thu, 16 Sep 2010 17:58:18 +0200
Message-ID: <AANLkTi=27tUDHZz4ZGsv-bTou_MO1kSKf+FdRhEAKRfY@mail.gmail.com>
To: nathan@webr3.org
Cc: "Nilsson, Claes1" <Claes1.Nilsson@sonyericsson.com>, "Frederick.Hirsch@nokia.com" <Frederick.Hirsch@nokia.com>, "public-device-apis@w3.org" <public-device-apis@w3.org>, public-webapps <public-webapps@w3.org>
On Thu, Sep 16, 2010 at 1:42 PM, Nathan <nathan@webr3.org> wrote:
> cc: public-webapps
> Hi Claes,
> Nilsson, Claes1 wrote:
>> Hi Nathan,
>> Thanks for clarifying your proposal.
>> I interpret you so that you are proposing standardization of a general
>> concept of "packaged and installed web applications". Something like
>> http://code.google.com/chrome/apps/docs/index.html plus additional features
>> from widgets specifications.
>> This is something that can have a value by several reasons, for example:
>> * Whole application package or only manifest/configuration file could be
>> digitally signed.
>> * Permission to use APIs could be given at installation time.
>> * Manifest/configuration file could define network access limitations.
>> * Web application marketing/deployment/charging advantages.
>> I agree that the specifications you mention are applicable for a general
>> concept of "packaged and installed web applications" but I believe that
>> currently most people have the view that "widgets" are "packaged and
>> installed web applications" that run small "live" applications on the home
>> screen. However, what does the widgets specifications actually say? I
>> haven't digged into the documents in detail but are they not already
>> enabling a general concept of "packaged and installed web applications"?
>> So far there has been a distinction between "browser", running dynamic
>> content on web sites and "widget user agent", running installed web widgets.
>> Reading you original mail in this thread you say:
>> " Simply wondering why WARP, Widgets Updates and Digital Signatures aren't
>> used to deploy js applications which run in the main browser context?".
>> So, what are you actually proposing?
>> * Update to HTML5 to support "packaged and installed web applications" in
>> the "main browser context"?
>> Plus
>> * Updates to the Widgets specifications to enable the more general concept
>> of "packaged and installed web applications"?
> I'm proposing something before that, to consider whether "packaged and
> installed web applications" should be considered and if it would be viable +
> gain support from the main browser vendors, then to look at exactly how. I'd
> loosely suggest that the work done on the Widgets specifications could be
> re-used, forked or even that the Widgets specifications were re-scoped to
> general client side web applications and aligned with the other work being
> done within web-apps, html5 and device-apis. Ultimately it just seemed to me
> like much of the heavy lifting has already been done under the banner of
> widgets.

I thought that is what we had done already? I don't get it.

>> Furthermore, do we really want "packaged and installed web applications"
>> to run by the same user agent, i.e. the normal browser as normal website
>> based web applications? We may want to have different "user agent chromes"
>> depending on type of web application.
> Personally, yes, being able to make applications using a suite of
> standardized languages and APIs with near universal deployment on a core set
> of rapidly evolving runtimes, really, really, appeals :) I wouldn't suggest
> that the scope be limited to user agent (ie browser vendors) only, but they
> are the obvious target for most applications in the first instance.

As above. I thought that was what we (Web Apps WG - Widgets) have been
doing for the last 5 years?

>> Best regards
>>  Claes
>>> -----Original Message-----
>>> From: Nathan [mailto:nathan@webr3.org]
>>> Sent: den 8 september 2010 18:27
>>> To: Nilsson, Claes1
>>> Cc: Frederick.Hirsch@nokia.com; public-device-apis@w3.org
>>> Subject: Re: Widgets - WARP, Widgets Updates and Digital Signatures
>>> Hi Claes,
>>> I think the main thing that's missing from the proposal is context :)
>>> With the advent of client side persistence solutions and ever
>>> increasing
>>> device/browser capabilities, it's now possible to make 100% client side
>>> js applications which run in the browser, everything from small games
>>> and micro-blog clients right up to full document/image editors. There
>>> is
>>> a strong shift in this direction from many corners of the web.
>>> Currently application developers can choose between:
>>>  (1) hosting the client side application on a 'website'.
>>>  (2) creating a vendor specific 'extension'.
>>> When really, what we all want/need is to be able to 'install' an
>>> application which runs in the main browser context (i.e. can be used
>>> off
>>> line, can be packaged as an application, can be signed, can contain an
>>> access request policy).
>>> You might think of this as cross between a Mozilla Prism, browser
>>> extensions, widgets and traditional web applications. Universal web
>>> applications that can run on any device.
>>> To my untrained eye, it appears that virtually everything needed to
>>> take
>>> a series of scripts & resources and wrap them up in a manner similar to
>>> extensions is already spec'd out in the various widget specifications.
>>> Everything needed to run the applications universally is already
>>> provided by any user agent on any device that implements
>>> js/html/web-apps/device apis.
>>> Thus, the suggestion to scope using the widgets specifications as a way
>>> to package all this up and give the world universal web applications
>>> which run on any device and provided the needed
>>> packaging/signing/access-request/update side of things.
>>> Best,
>>> Nathan
>>> Nilsson, Claes1 wrote:
>>>> Hi,
>>>> Assuming I don't misunderstand the proposal/questions I would say:
>>>> * WARP: Might work for main browser context?
>>>> * Digital Signatures for Widgets: I guess that using "Digital
>>> Signatures for Widgets" for normal web application running in the
>>> browser wouldn't work as this specification assumes signing of an
>>> installed package. For web applications running in main browser context
>>> the corresponding specification is xmldsig
>>> (http://www.w3.org/TR/xmldsig-core/), that makes it possible to sign
>>> defined parts of web content. However, as far as I know this
>>> specification has not been much implemented as it is considered
>>> complicated. Don't know any details.
>>>> * Widgets Update: Don't see the meaning of this for browser context
>>> as this specification assumes an installed package.
>>>> Regards
>>>>  Claes
>>>>> -----Original Message-----
>>>>> From: public-device-apis-request@w3.org [mailto:public-device-apis-
>>>>> request@w3.org] On Behalf Of Frederick.Hirsch@nokia.com
>>>>> Sent: den 7 september 2010 20:24
>>>>> To: public-device-apis@w3.org
>>>>> Cc: Frederick.Hirsch@nokia.com; nathan@webr3.org
>>>>> Subject: Fwd: Widgets - WARP, Widgets Updates and Digital Signatures
>>>>> Forwarding with permission .
>>>>> What do you think of this approach?
>>>>> regards, Frederick
>>>>> Frederick Hirsch
>>>>> Nokia
>>>>> Begin forwarded message:
>>>>>> From: ext Nathan <nathan@webr3.org>
>>>>>> Date: September 3, 2010 1:52:26 PM EDT
>>>>>> To: public-webapps <public-webapps@w3.org>
>>>>>> Subject: Widgets - WARP, Widgets Updates and Digital Signatures
>>>>>> Reply-To: "nathan@webr3.org" <nathan@webr3.org>
>>>>>> Hi All,
>>>>>> Simply wondering why WARP, Widgets Updates and Digital Signatures
>>>>> aren't
>>>>>> used to deploy js applications which run in the main browser
>>> context?
>>>>>> seems like a nice solution that would work webscale, and which
>>> would
>>>>>> provide further user security, identification of trusted apps and
>>>>> cover
>>>>>> the other half of CORS which is informing and protecting the user.
>>>>>> Perhaps one of the vendors has already implemented in the main
>>>>> context?
>>>>>> Best,
>>>>>> Nathan

Marcos Caceres
Opera Software ASA, http://www.opera.com/
Received on Thursday, 16 September 2010 15:59:15 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:11 UTC