- From: Dominique Hazael-Massieux <dom@w3.org>
- Date: Tue, 23 Aug 2022 17:04:21 +0200
- To: public-webview@w3.org
Hi,
The minutes of our call held today (Aug 23) are available at:
https://www.w3.org/2022/08/23-webview-minutes.html
and copied as text below.
Dom
WebView CG
23 August 2022
[2]Agenda. [3]IRC log.
[2]
https://github.com/WebView-CG/usage-and-challenges/blob/main/meetings/8th-meeting-agenda-220823.md
[3] https://www.w3.org/2022/08/23-webview-irc
Attendees
Present
Andy_Luhrs, Dom, JonathanKingston, MaxTsoy, NiklasMerz,
Ovidio_Ruiz-Henriquez, QingAn, Rayan, ThomasSteiner,
Tim_Cappalli
Regrets
-
Chair
QingAn, Rayan
Scribe
dom
Contents
1. [4]Review and discuss use cases
1. [5]Different type of Webviews #19
2. [6]Web storage and cookies #24
3. [7]Disabling Web platform features & APIs #29
4. [8]Intercept / Modify network traffic #30
5. [9]Gather Diagnostic Data #33
6. [10]Challenge: Apps can use WebViews to bypass web
security standards, privacy standards, and user
choice. #36
2. [11]Other issues
1. [12]Clarifications about Web Bundles, WebViews &
MiniApps #34
3. [13]TPAC agenda
Meeting minutes
QingAn: this is our last meeting before TPAC; beyond issues, we
should also discuss our TPAC logistics and agenda
[14]Review and discuss use cases
[14]
https://github.com/WebView-CG/usage-and-challenges/issues?q=is:issue+is:open+label:Agenda+
Different type of Webviews #19
<ghurlbot> [15]Issue 19 Define different types of webviews
(NiklasMerz) use case, Agenda+
[15] https://github.com/WebView-CG/usage-and-challenges/issues/19
Qing: we're close to agree this is a use case worth adopting
… with a distinction between "full webviews" and webview-like
browser experience
Niklas: +1
Qing: I'll work on a PR towards that
Web storage and cookies #24
<ghurlbot> [16]Issue 24 Manage web storage and cookies (muodov)
use case, Agenda+
[16] https://github.com/WebView-CG/usage-and-challenges/issues/24
QingAn: any suggested next step for this issue?
Max: all the webviews provide this feature one way or another
… there are legit use cases for this
… I think it should be included
QingAn: could we add more detailed to the use case?
Andy: this is already doable with injected JS in any case
<Zakim> dom, you wanted to ask if we should classify use cases
(document security issues?) based on the type of usage (e.g.
in-app-browser vs 1st-party rendering)
dom: we should classify use cases (document security issues?)
based on the type of usage (e.g. in-app-browser vs 1st-party
rendering)
rayan: +1 - this is a valid use case, but the context of when
it is being used matters, with different security & privacy
implications
QingAn: ok, so we'll mark it as valid and iterate on security /
privacy considerations separatley
Disabling Web platform features & APIs #29
<ghurlbot> [17]Issue 29 Disable web platform features and web
APIs (muodov) use case, Agenda+
[17] https://github.com/WebView-CG/usage-and-challenges/issues/29
Max: this is a more narrow use case, coming from our
privacy-focused browser
… there are cases where we want to disable Web APIs that would
otherwise be available to Web pages
… sometimes this can be done through JS injection (e.g. by
nullifying globals),
Rayan: which type of features are you thinking of? generally
web exposed features? or things gated by permissions
Jonathan: one example is WebFonts - we can't reduce entropy
associated with it
… we're also modifying e.g. canvas APIs for privacy
perservation
Andy: privacy-relevant APIs would traditionally be behind
permissions, which could be handled through our permission
discussion
Jonathan: fonts or canvas aren't gated by permissions
… this is probably not just a flat on/off switch which would
not be web compatible
Dom: the use case probably needs more detailed - not sure if
there is a generic mechanism that would work across features /
APIs
… would be worth flushing out
Jonathan: we can do that indeed
Max: some of this can managed through JS injection, so maybe we
can leave it for later while we collect more details
Intercept / Modify network traffic #30
<ghurlbot> [18]Issue 30 Intercept / modify network traffic
(muodov) use case, Agenda+
[18] https://github.com/WebView-CG/usage-and-challenges/issues/30
Max: this is a follow up to what has been discussed in other
issues
… intercepting HTTP requests / responses and headers
… clearly a very security sensitive topics
… all webviews support this one way or another
dom: have we discussed if and how webdriver could help deal
with some of these issues; not sure what's the picture of
webdriver support in webviews
max: not sure webdrivier is supported in webviews atm
niklas: intercept are available in both ios and android but
with very different capabilities
… some greater interop would help apps
Rayan: in terms of having similar behaviors across platforms -
would inject a service worker help here?
… we had a similar discussion for pre-caching where this
wouldn't work
… but here, would it work as an interoperable basis?
Max: for full browser use cases, this wouldn't be enough
because of the same-origin policies which would block
intercepting 3rd-party requests
… the closest thing that exists is the WebExtension API that
allow some blocking / rewriting
… but even there, we have some important limitations in what
you can actually see / intercept
… it would be nice to have something similar and possibly more
powerful in fullfledged webviews
… provided that the security part is handled of course
Andy: WebView2 is drastically differetn from ios and android
too - different across the board
dom: I'm hearing lots of variations across platform but also a
commonality of them being available
… would be interesting to get a clearer picture of these
variations and possibly their motivation
Niklas: I can build a summary for Android and ios
Andy: will be happy to complete that for WebView2
Gather Diagnostic Data #33
<ghurlbot> [19]Issue 33 Gather Diagnostic Data (aluhrs13) use
case, Agenda+
[19] https://github.com/WebView-CG/usage-and-challenges/issues/33
Andy: we expose APIs in WebView2 to gather data about
performance trace, heap/stack snapshot - getting detailed
diagnostics has proved valuable to developers with complex app
… they're harder to obtain in a browser case
dom: are they used during development, or shipped to end users?
andy: the latter - mostly in the feedback flow
dom: ok, so shipped to end users and thus of the value of
commonality
QingAn: any reaction on this being valid?
Max: would be useful to document if this available on other
platforms as well
… can someone help with that?
Rayan: I can add context on the Android side of things
… the webview runs in-process of the app, so a WebView crash
takes the app down
… there is a crash event that developers can exploit
… for delegated Webviews à la custom-tab, there won't be
anything available
Niklas: similar for iOS
Andy: it might also be interesting to analyse Chromium Embedded
Framework (CEF) and Electron
… they too provide additional diagnostics tools, incl path to
upload them
… I can document them
QingAn: let's keep discussing on the issue then
Challenge: Apps can use WebViews to bypass web security standards,
privacy standards, and user choice. #36
<ghurlbot> [20]Issue 36 Challenge: Apps can use WebViews to
bypass web security standards, privacy standards, and user
choice. (aluhrs13) use case, Agenda+
[20] https://github.com/WebView-CG/usage-and-challenges/issues/36
Andy: this issue is at odd with a lot of what we've been
discussing so far :)
… this will underly a lot of our discussions about allowing to
build a browsers vs keeping the right set of security & privacy
dom: thanks for raising this important issue; I think we may
struggle to deal with the underlying policy question about what
constitutes a user agent, but we should be able to say that you
only get access to additional capabilities by accepting the
additional responsibilities of being a user agent
andy: can we already document this as a challenge in the doc,
without diving into the details yet?
[thumbs up from max & dom]
QingAn: is #31 independent or should we discuss them together?
<ghurlbot> [21]Issue 31 WebView security model vs same-origin
policy (muodov)
[21] https://github.com/WebView-CG/usage-and-challenges/issues/31
Max: I think they're strongly tied - this is about how the Web
security model gets mapped to native security models
… I think we should split #36 in different pieces
Other issues
Clarifications about Web Bundles, WebViews & MiniApps #34
<ghurlbot> [22]Issue 34 Clarification around Web Bundles,
WebViews, and MiniApps? (aluhrs13) Agenda+
[22] https://github.com/WebView-CG/usage-and-challenges/issues/34
Andy: this arose while I was researching one of my issues
… I'm not sure of how much overlap we have with other efforts
such as Web Bundles or MiniApps
… it may be useful to document these
QingAn: not sure we have anyone familiar with Web Bundles
… I can provide information with MiniApps
… I have committed to provide background on how MiniApps use
WebViews, which I still have to get to
dom: epub might be another category to document
QingAn: we could see if Brady might help with that
… let's collect more info in that issue
TPAC agenda
#35
<ghurlbot> [23]Issue 35 TPAC agenda (rayankans) Agenda+
[23] https://github.com/WebView-CG/usage-and-challenges/issues/35
QingAn: we have a meeting scheduled on Friday of TPAC week for
which we have a draft agenda
… we'll introduce our CG report on usage scenarios & challenges
… then dive into open issues, before discussing next steps
… Dom also suggested to run a breakout meeting during the TPAC
breakout day on Wednesday
… we're evaluating this
… we could introduce the CG report as a way to recruit more
participants in the CG
… TPAC will be hybrid with remote participants - you have to
register and pay the fee to participate
dom: note that there is no-question-asked fee waiver
QingAn: next meeting on Sep 16 during TPAC - please register!
Minutes manually created (not a transcript), formatted by
[24]scribe.perl version 192 (Tue Jun 28 16:55:30 2022 UTC).
[24] https://w3c.github.io/scribe2/scribedoc.html
Received on Tuesday, 23 August 2022 15:04:25 UTC