Re: App Manifest & API Proposal from Ian Hickson on 2012-05-12 (public-webapps@w3.org from April to June 2012)

From: Ian Hickson <ian@hixie.ch>
Date: Sat, 12 May 2012 20:14:56 +0000 (UTC)
To: Anant Narayanan <anant@mozilla.com>
cc: public-webapps <public-webapps@w3.org>
Message-ID: <Pine.LNX.4.64.1205122008230.25792@ps20323.dreamhostps.com>

On Sat, 12 May 2012, Anant Narayanan wrote:
> 
> Q. Apps are just web pages, why bother "installing" them?
> 
> A. This has been previously discussed on the list [4].
> [4] http://lists.w3.org/Archives/Public/public-webapps/2012JanMar/0464.html

This has already received a reply:

   http://lists.w3.org/Archives/Public/public-webapps/2012JanMar/0465.html

> There are clear differences in perception between an app and a website 
> for most users. Most web content is expected to be free, but the same 
> content wrapped in an app is something people seem to be willing to pay 
> for. Monetization is important to encourage a thriving web developer 
> community.

I don't think it makes sense to use a technical solution to a 
non-technical problem.

> Additionally, treating certain "installed" websites as apps gives us a 
> context separate from loading pages in a browser, which allows us to 
> provide privileged APIs to such trusted apps, APIs we would normally not 
> give to untrusted web content.

Desktop operating systems have demonstrated over a period of many years 
that this approach simply doesn't work. Users find it very difficult to 
understand what it means to "trust" an app. The Web's security model is 
IMHO significantly superior than any of the "app" security models we have 
seen in "native" operating systems, as demonstrated by the way that when 
malware is written to the "app" model it has to be dealt with by curating 
the application market space, whereas when malware is written to the Web 
model it is almost always because of errors in the design or 
implementation of the Web platform that, once fixed, preclude any similar 
attack from being performed again.

The "installation" security model of asking the user up-front to grant 
trust just doesn't work because users don't understand the question, and 
the "installation" security model of curating apps and trying to determine 
by empirical examination whether an application is trustworthy or not just 
doesn't scale.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Saturday, 12 May 2012 20:15:22 UTC