[minutes] Aug 23 call


The minutes of our call held today (Aug 23) are available at:

and copied as text below.

                                WebView CG

23 August 2022

    [2]Agenda. [3]IRC log.

       [3] https://www.w3.org/2022/08/23-webview-irc


           Andy_Luhrs, Dom, JonathanKingston, MaxTsoy, NiklasMerz,
           Ovidio_Ruiz-Henriquez, QingAn, Rayan, ThomasSteiner,


           QingAn, Rayan



     1. [4]Review and discuss use cases
          1. [5]Different type of Webviews #19
          2. [6]Web storage and cookies #24
          3. [7]Disabling Web platform features & APIs #29
          4. [8]Intercept / Modify network traffic #30
          5. [9]Gather Diagnostic Data #33
          6. [10]Challenge: Apps can use WebViews to bypass web
             security standards, privacy standards, and user
             choice. #36
     2. [11]Other issues
          1. [12]Clarifications about Web Bundles, WebViews &
             MiniApps #34
     3. [13]TPAC agenda

Meeting minutes

    QingAn: this is our last meeting before TPAC; beyond issues, we
    should also discuss our TPAC logistics and agenda

   [14]Review and discuss use cases


     Different type of Webviews #19

    <ghurlbot> [15]Issue 19 Define different types of webviews
    (NiklasMerz) use case, Agenda+

      [15] https://github.com/WebView-CG/usage-and-challenges/issues/19

    Qing: we're close to agree this is a use case worth adopting
    … with a distinction between "full webviews" and webview-like
    browser experience

    Niklas: +1

    Qing: I'll work on a PR towards that

     Web storage and cookies #24

    <ghurlbot> [16]Issue 24 Manage web storage and cookies (muodov)
    use case, Agenda+

      [16] https://github.com/WebView-CG/usage-and-challenges/issues/24

    QingAn: any suggested next step for this issue?

    Max: all the webviews provide this feature one way or another
    … there are legit use cases for this
    … I think it should be included

    QingAn: could we add more detailed to the use case?

    Andy: this is already doable with injected JS in any case

    <Zakim> dom, you wanted to ask if we should classify use cases
    (document security issues?) based on the type of usage (e.g.
    in-app-browser vs 1st-party rendering)

    dom: we should classify use cases (document security issues?)
    based on the type of usage (e.g. in-app-browser vs 1st-party

    rayan: +1 - this is a valid use case, but the context of when
    it is being used matters, with different security & privacy

    QingAn: ok, so we'll mark it as valid and iterate on security /
    privacy considerations separatley

     Disabling Web platform features & APIs #29

    <ghurlbot> [17]Issue 29 Disable web platform features and web
    APIs (muodov) use case, Agenda+

      [17] https://github.com/WebView-CG/usage-and-challenges/issues/29

    Max: this is a more narrow use case, coming from our
    privacy-focused browser
    … there are cases where we want to disable Web APIs that would
    otherwise be available to Web pages
    … sometimes this can be done through JS injection (e.g. by
    nullifying globals),

    Rayan: which type of features are you thinking of? generally
    web exposed features? or things gated by permissions

    Jonathan: one example is WebFonts - we can't reduce entropy
    associated with it
    … we're also modifying e.g. canvas APIs for privacy

    Andy: privacy-relevant APIs would traditionally be behind
    permissions, which could be handled through our permission

    Jonathan: fonts or canvas aren't gated by permissions
    … this is probably not just a flat on/off switch which would
    not be web compatible

    Dom: the use case probably needs more detailed - not sure if
    there is a generic mechanism that would work across features /
    … would be worth flushing out

    Jonathan: we can do that indeed

    Max: some of this can managed through JS injection, so maybe we
    can leave it for later while we collect more details

     Intercept / Modify network traffic #30

    <ghurlbot> [18]Issue 30 Intercept / modify network traffic
    (muodov) use case, Agenda+

      [18] https://github.com/WebView-CG/usage-and-challenges/issues/30

    Max: this is a follow up to what has been discussed in other
    … intercepting HTTP requests / responses and headers
    … clearly a very security sensitive topics
    … all webviews support this one way or another

    dom: have we discussed if and how webdriver could help deal
    with some of these issues; not sure what's the picture of
    webdriver support in webviews

    max: not sure webdrivier is supported in webviews atm

    niklas: intercept are available in both ios and android but
    with very different capabilities
    … some greater interop would help apps

    Rayan: in terms of having similar behaviors across platforms -
    would inject a service worker help here?
    … we had a similar discussion for pre-caching where this
    wouldn't work
    … but here, would it work as an interoperable basis?

    Max: for full browser use cases, this wouldn't be enough
    because of the same-origin policies which would block
    intercepting 3rd-party requests
    … the closest thing that exists is the WebExtension API that
    allow some blocking / rewriting
    … but even there, we have some important limitations in what
    you can actually see / intercept
    … it would be nice to have something similar and possibly more
    powerful in fullfledged webviews
    … provided that the security part is handled of course

    Andy: WebView2 is drastically differetn from ios and android
    too - different across the board

    dom: I'm hearing lots of variations across platform but also a
    commonality of them being available
    … would be interesting to get a clearer picture of these
    variations and possibly their motivation

    Niklas: I can build a summary for Android and ios

    Andy: will be happy to complete that for WebView2

     Gather Diagnostic Data #33

    <ghurlbot> [19]Issue 33 Gather Diagnostic Data (aluhrs13) use
    case, Agenda+

      [19] https://github.com/WebView-CG/usage-and-challenges/issues/33

    Andy: we expose APIs in WebView2 to gather data about
    performance trace, heap/stack snapshot - getting detailed
    diagnostics has proved valuable to developers with complex app
    … they're harder to obtain in a browser case

    dom: are they used during development, or shipped to end users?

    andy: the latter - mostly in the feedback flow

    dom: ok, so shipped to end users and thus of the value of

    QingAn: any reaction on this being valid?

    Max: would be useful to document if this available on other
    platforms as well
    … can someone help with that?

    Rayan: I can add context on the Android side of things
    … the webview runs in-process of the app, so a WebView crash
    takes the app down
    … there is a crash event that developers can exploit
    … for delegated Webviews à la custom-tab, there won't be
    anything available

    Niklas: similar for iOS

    Andy: it might also be interesting to analyse Chromium Embedded
    Framework (CEF) and Electron
    … they too provide additional diagnostics tools, incl path to
    upload them
    … I can document them

    QingAn: let's keep discussing on the issue then

     Challenge: Apps can use WebViews to bypass web security standards,
     privacy standards, and user choice. #36

    <ghurlbot> [20]Issue 36 Challenge: Apps can use WebViews to
    bypass web security standards, privacy standards, and user
    choice. (aluhrs13) use case, Agenda+

      [20] https://github.com/WebView-CG/usage-and-challenges/issues/36

    Andy: this issue is at odd with a lot of what we've been
    discussing so far :)
    … this will underly a lot of our discussions about allowing to
    build a browsers vs keeping the right set of security & privacy

    dom: thanks for raising this important issue; I think we may
    struggle to deal with the underlying policy question about what
    constitutes a user agent, but we should be able to say that you
    only get access to additional capabilities by accepting the
    additional responsibilities of being a user agent

    andy: can we already document this as a challenge in the doc,
    without diving into the details yet?

    [thumbs up from max & dom]

    QingAn: is #31 independent or should we discuss them together?

    <ghurlbot> [21]Issue 31 WebView security model vs same-origin
    policy (muodov)

      [21] https://github.com/WebView-CG/usage-and-challenges/issues/31

    Max: I think they're strongly tied - this is about how the Web
    security model gets mapped to native security models
    … I think we should split #36 in different pieces

   Other issues

     Clarifications about Web Bundles, WebViews & MiniApps #34

    <ghurlbot> [22]Issue 34 Clarification around Web Bundles,
    WebViews, and MiniApps? (aluhrs13) Agenda+

      [22] https://github.com/WebView-CG/usage-and-challenges/issues/34

    Andy: this arose while I was researching one of my issues
    … I'm not sure of how much overlap we have with other efforts
    such as Web Bundles or MiniApps
    … it may be useful to document these

    QingAn: not sure we have anyone familiar with Web Bundles
    … I can provide information with MiniApps
    … I have committed to provide background on how MiniApps use
    WebViews, which I still have to get to

    dom: epub might be another category to document

    QingAn: we could see if Brady might help with that
    … let's collect more info in that issue

   TPAC agenda


    <ghurlbot> [23]Issue 35 TPAC agenda (rayankans) Agenda+

      [23] https://github.com/WebView-CG/usage-and-challenges/issues/35

    QingAn: we have a meeting scheduled on Friday of TPAC week for
    which we have a draft agenda
    … we'll introduce our CG report on usage scenarios & challenges
    … then dive into open issues, before discussing next steps
    … Dom also suggested to run a breakout meeting during the TPAC
    breakout day on Wednesday
    … we're evaluating this
    … we could introduce the CG report as a way to recruit more
    participants in the CG
    … TPAC will be hybrid with remote participants - you have to
    register and pay the fee to participate

    dom: note that there is no-question-asked fee waiver

    QingAn: next meeting on Sep 16 during TPAC - please register!

     Minutes manually created (not a transcript), formatted by
     [24]scribe.perl version 192 (Tue Jun 28 16:55:30 2022 UTC).

      [24] https://w3c.github.io/scribe2/scribedoc.html

Received on Tuesday, 23 August 2022 15:04:25 UTC