- From: Dominique Hazael-Massieux <dom@w3.org>
- Date: Wed, 8 Jun 2022 09:54:12 +0200
- To: public-webview@w3.org
Hi,
The minutes of today's WebView CG call are available at:
https://www.w3.org/2022/06/08-webview-minutes.html
and copied as text below.
Dom
WebView CG
08 June 2022
[2]Agenda. [3]IRC log.
[2]
https://github.com/WebView-CG/usage-and-challenges/blob/main/meetings/4th-meeting-agenda-220608.md
[3] https://www.w3.org/2022/06/08-webview-irc
Attendees
Present
BradyDuga, Dom, JiashengWu, MaxTsoy, Niklas Merz,
NiklasMerz, QingAn, Rayan
Regrets
-
Chair
QingAn, Rayan
Scribe
dom
Contents
1. [4]Review and discuss use cases
1. [5]#12
2. [6]#16
3. [7]#17
4. [8]#7
5. [9]#10
2. [10]AOB
Meeting minutes
ghurlbot, use WebView-CG/usage-and-challenges
<ghurlbot> dom, OK
Review and discuss use cases
#12
<ghurlbot> [11]Issue 12 Sharing HTTP requests/responses between
Native & Webview (JohnRiv) use case, Agenda+
[11] https://github.com/WebView-CG/usage-and-challenges/issues/12
QingAn: this use case is about sharing http requests &
responses between native & webview
… or use native as a proxy for the WebView
… I've described the scenarios associated with this usage
… 1st four are articulated around proxy with access control,
firewall, ...
… the last one is more directly related to sharing
request/response
Niklas: +1 to this use case - I've had to do this kind of
native proxy to work around CORS issues
QingAn: +1 on this being a valid use case
… is there agreement on adding this to the document?
… any objection or further comment?
Rayan: using to bypass the CORS / security model for the Web
shouldn't be something we push for
… we should maintain the privacy / security pillars of the Web
QingAn: could you comment to that effect in the issue?
dom: how would do e.g. a podcast app without overriding CORS?
rayan: I just want to make sure we discuss the situation rather
than accepting CORS-override as a default
… there are alternatives that are worth documenting at the very
least
… will bring it to the issue
#16
<ghurlbot> [12]Issue 16 Display and manipulate third party
content while blocking third party scripting (bduga) use case,
Agenda+
[12] https://github.com/WebView-CG/usage-and-challenges/issues/16
Brady: this comes up frequently in the digital publishing world
… we have 3rd party content from publishers or from users
… we want to display it in a WebView for rich display
… but we don't want any script to run - we don't want to have
to trust them
… but we still want to manipulate the content (e.g. to change
fonts, margins)
… which typically would be done through script injection
… you can't turn off JS to run yours, but you don't want to run
the 3rd party JS
dom: wouldn't Content Security Policy enable this?
Brady: maybe, I don't know
… our approach has been to remove as much as JS as we can, but
that's never going to be perfect
dom: we should add Content-Security-Policy to the related W3C
deliverables
brady: a solution that I like is exposing the DOM & CSS OM to
native code so that I don't have to write JS - but probably
lots harder to do
QingAn: I think Android and iOs have private interfaces to
achieve this
dom: another approach might be to hook Subresource Integrity to
control tightly which scripts get executed
QingAn: a similar issue has been brought up in the context of
mini apps
… I'll ask some miniapps folks to chime in with their use cases
in the issue
Rayan: supports this as a valid use case
… +1 to Dom that CSP can support this
QingAn: is CSP supported in WebViews?
Rayan: it should be in Android at least
QingAn: Mini-Apps use OS WebViews and other customized views;
some miniapps vendors do not support CSP through their webviews
Rayan: this also relates to Web Platform compat in WebViews
#17
<ghurlbot> [13]Issue 17 Render WebView Components and Native
Components in same layer (QingAn) use case, Agenda+
[13] https://github.com/WebView-CG/usage-and-challenges/issues/17
QingAn: it's common for hybrid & mini apps to mix native and
WebView component, e.g. many hybrid apps prefer to use their
native video component for better performance
… this means the rendering is done by the native app instead of
the webview
… this enables more features due to the native abilities
… but it creates rendering issues for developers
… e.g. z-index property can't be applied to the native
component
… it would be good if the native component could be rendered in
the same layer as the webview instead of a different layer
… e.g. with the native component treated as a DOM node that
could be better controlled by the developer for layout
… there are private solutions that address this problem e.g. by
mini-apps vendors
… having a solution provided directly by default webviews would
help
… this is a widely encountered issue in the miniapps world
Rayan: hybrid merging of layers feels more like an OS feature
than a WebView feature
… is the proposal to make the native component part of the DOM?
QingAn: yes
… when we start looking at solutions, I can share how miniapps
deal with this through private solutions
Rayan: that would be very interesting
<QingAn> ?
#7
<ghurlbot> [14]Issue 7 What is the "Origin" in a WebView, for
locally hosted content? (lrosenthol) Agenda+
[14] https://github.com/WebView-CG/usage-and-challenges/issues/7
Niklas: I've worked with Apache Cordova; Android and iOS have
different approaches to using local content
… it used to be that you would use [15]file:///
… but to help with dealing with cross-origin, they introduced
two different approaches
… iOS uses a custom:// scheme, where Android uses a custom
domain name
… having a unified approach would help
[15] https://www.w3.org/
QingAn: are you suggesting a standardized URI scheme for this?
Niklas: yes
QingAn: would locally hosted content considered secure? or are
there security risks associated with it?
Niklas: in the context of Apache Cordova, you're in full
control of the content that gets shipped through app store
… from my experience, it should be safe
Rayan: +1 - it should be considered as first party
… having the ability to standardize its origin would hlep
s/help
QingAn: +1
… should we suggest a standardized scheme for locally hosted
content in the solution space?
[room: yes]
QingAn: should we merge this with #15?
<ghurlbot> [16]Issue 15 Third party cookies and cross origin
ressource sharing in webviews (NiklasMerz) use case
[16] https://github.com/WebView-CG/usage-and-challenges/issues/15
Niklas: #15 is a derivative - we should probably focus on #7
for now
<ghurlbot> [17]Issue 7 What is the "Origin" in a WebView, for
locally hosted content? (lrosenthol) Agenda+
[17] https://github.com/WebView-CG/usage-and-challenges/issues/7
QingAn: could you add use cases to #7 then Niklas?
dom: having a well-defined origin will also help with using CSP
for third-party filtering
#10
<ghurlbot> [18]Issue 10 UserScript injection in WebView
(Token-LiMing) use case
[18] https://github.com/WebView-CG/usage-and-challenges/issues/10
Qing: we can close this issue
AOB
[19]Winter Community CG
[19] https://www.w3.org/community/wintercg
Dom: the Winter CG (Web Interoperable Runtime) CG launched
recently, with possibly some overlapping interests
Dom: also TPAC schedule has been announced, including our
meeting slot for WebView CG
[20]Draft of WebView: Usage Scenarios and Challenges
[20] https://webview-cg.github.io/usage-and-challenges/
QingAn: currently only one use case, will add others we've
agreed on
… building up for something to share at the upcoming TPAC
Received on Wednesday, 8 June 2022 07:54:30 UTC