Re: Installing web apps

On Wed, 1 Feb 2012, Tim Berners-Lee wrote:
> These apps have got to be able to completely
> act as agents trusted by the user, like for example
> 	- a web browser

You want to write a Web browser in a Web browser?

> 	- a calendar client

There are lots of calendar clients written on the Web today.

> 	- an IMAP client

There are lots of mail clients written on the Web today.

> and so on, none of these can you currently write as a web app, because 
> of CORS.

I don't think it has anything to do with CORS. An IMAP client, that is, a 
mail client that communicates to a remote server using the IMAP protocol 
rather than HTTP or WebSockets, is only not possible today because there's 
no raw sockets API (which there can't safely be). The problem is trivial 
to work around by just wrapping IMAP in WebSockets. Nothing to do with 
CORS (or even the same-origin policy).

> As a user when I install an app, I want to be able to give it access to 
> a selection of:

Providing access to these things when the app is installed is IMHO a net 
worse security model than granting access to these things implicitly when 
the feature is needed.

Of the things you list, the following are already possible without an 
up-front permission grant, in a manner more secure than an up-front grant:

> - Program storage, to a limit
> - Whether it is permanently available or downloaded or cached for a while
> - Access to RAM at runtime, to a limit
> - CPU time when in background, to a limit
> - Access to the net, maybe to a bandwidth limit
> - Access to its own local storage up to a given limit
> - Access to shared local storage up to a given limit
> - Access to my location, as we currently allow an origin;
> - Access video and still camera, and sound
> - Access to other sensors such as temp, accelerometer, etc

(Temp isn't current exposed, but there's no reason it couldn't be the 
same way as other things.)

> - Ability to access anything on the web

What's the use case for this?

> I want to be able to se where all my resources (including CPU, RAM, 
> 'disk')  on my laptop or tablet or phone are being used up, just like I 
> do with music and movies.

You can do that today without an up-front permission grant. (q.v. Chrome's 
task manager, for example.)

> I want maybe a couple of default profiles for all the above.

That's more complicated than having on profiles at all.

> (I'll want to sync its local and shared data storage between all my 
> devices too)

That's possible without the site knowing anything about it. Chrome already 
does it to some extent.

> If I can't give power to apps, then the web app platform cannot compete 
> with native apps.

There's plenty of things we can do to make the Web platform more 
compelling and a better competitor to native apps, but adding "installing" 
isn't one of them. That would in fact take one of the Web's current 
significant advantages over native apps and kill it.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Wednesday, 1 February 2012 19:04:14 UTC