W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2015

Updated: Running trusted code in the untrusted web

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Tue, 17 Feb 2015 19:40:14 +0100
Message-ID: <54E38B0E.3030502@gmail.com>
To: public-webapps <public-webapps@w3.org>, sysapps <public-sysapps@w3.org>
Although I still prefer native messaging, here is a more complete proposal for a webish solution:


On 2015-02-17 06:32, Anders Rundgren wrote:
> For those who frown at the idea of calling native (trusted) applications from the untrusted web [1],
> here is a writeup of how you could run trusted web-code inside of a untrusted web-application.
> Regarding the use-cases, there are many ranging from phone-dialers on support pages to payments [2].
> Since you probably do not want to rewrite browsers from scratch, the most logical
> is building on running trusted code in IFRAMEs so that the existing protection scheme
> can be reused.   The difference with existing IFRAMEs is that the code must be trusted
> by the platform which also means that it must be fetched from the platform:
> <iframe trustedapp="com.example.PaymentRequest" ... ></iframe>
> This code should appear to the browser as coming from a virtual domain.
> The only communication possible is through postMessage().
> If the referenced application isn't available in the local cache, the browser should presumably
> consult the device-specific "AppStore".
> A side-effect of this "specification" is that trusted web-applications may be device-specific which
> actually is a plus since it reduces the need to standardize access to the OS and HW layer.
> That is, there could be a new class of standardized trusted web-applications where only
> the invoke/postMessage part is standardized!
> Cheers,
> Anders Rundgren
> 1] https://lists.w3.org/Archives/Public/public-web-intents/2015Feb/0000.html
> 2] Although not entirely compliant with the above, the following demo
> https://mobilepki.org/WebCryptoPlusPlus
> does the same thing from a user's perfective.
Received on Tuesday, 17 February 2015 18:41:06 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:43 UTC