W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2015

Updated: Running trusted code in the untrusted web

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Tue, 17 Feb 2015 19:40:14 +0100
Message-ID: <54E38B0E.3030502@gmail.com>
To: public-webapps <public-webapps@w3.org>, sysapps <public-sysapps@w3.org>
Although I still prefer native messaging, here is a more complete proposal for a webish solution:
http://webpki.org/papers/trusted-web-apps.pdf

Anders

On 2015-02-17 06:32, Anders Rundgren wrote:
> For those who frown at the idea of calling native (trusted) applications from the untrusted web [1],
> here is a writeup of how you could run trusted web-code inside of a untrusted web-application.
>
> Regarding the use-cases, there are many ranging from phone-dialers on support pages to payments [2].
>
> Since you probably do not want to rewrite browsers from scratch, the most logical
> is building on running trusted code in IFRAMEs so that the existing protection scheme
> can be reused.   The difference with existing IFRAMEs is that the code must be trusted
> by the platform which also means that it must be fetched from the platform:
>
> <iframe trustedapp="com.example.PaymentRequest" ... ></iframe>
>
> This code should appear to the browser as coming from a virtual domain.
> The only communication possible is through postMessage().
>
> If the referenced application isn't available in the local cache, the browser should presumably
> consult the device-specific "AppStore".
>
> A side-effect of this "specification" is that trusted web-applications may be device-specific which
> actually is a plus since it reduces the need to standardize access to the OS and HW layer.
>
> That is, there could be a new class of standardized trusted web-applications where only
> the invoke/postMessage part is standardized!
>
> Cheers,
> Anders Rundgren
>
> 1] https://lists.w3.org/Archives/Public/public-web-intents/2015Feb/0000.html
>
> 2] Although not entirely compliant with the above, the following demo
> https://mobilepki.org/WebCryptoPlusPlus
> does the same thing from a user's perfective.
>
Received on Tuesday, 17 February 2015 18:41:06 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:27:25 UTC