[minutes] March 22nd meeting


The minutes of the WebView CG meeting held today (March 22nd) are 
available at:

and copied as text below.

                            WebView CG meeting

22 March 2023

    [2]IRC log.

       [2] https://www.w3.org/2023/03/22-webview-irc


           Dom, NiklasMerz, QingAn, Rayan, tomayac7





     1. [3]Locally hosted content #2
     2. [4]Controlled Frame explainer FYI and review
     3. [5]AOB

Meeting minutes

    [6]Controlled Frame explainer FYI and review #3

       [6] https://github.com/WebView-CG/explainers/issues/3

   [7]Locally hosted content #2

       [7] https://github.com/NiklasMerz/explainer-webview-local-content

    Niklas: this is a proposal to find a common denominator across
    webviews to expose local content to WebViews - based on what's
    in iOS and Android
    … right now, the different implementations have different
    limitations, different choices (e.g. origins)
    … having a single API would benefit developers

    Rayan: seen feedback; most of it around origins

    [8]Discussions around the explainer


    Rayan: how would the app affect the origin? would app Foo be a
    different origin from app Bar?
    … [9]myapp://foo vs [10]mapp://bar

       [9] myapp://foo/
      [10] mapp://bar/

    Niklas: they would be different origins

    Rayan: Android today treat these as different origins

    Niklas: OK, so it's worth clarifying in the explainer

    Rayan: there is also ongoing work to standardize custom schemes

    [11]Intent to Ship: Support URLs with non-special schemes


    Rayan: there seems to be alignment with GeckoView and Webkit
    behind this proposal

    Rayan: assuming there is convergence, does that affect your
    preference on option 1 vs option 2?

    Niklas: not really; with HTTPS, you can use CSP / CORS and get
    more Web foo

    Rayan: a lot of the considerations also need to take into
    account how Web site to work; at the moment with custom
    schemes, CSP / CORS will break
    … that's an important consideration for this API
    … my hesitation with HTTPS, it doesn't feel right to use it to
    serve your own content

    dom: I wonder if we could use a magic HTTPS origin à la

    Rayan: what happens if you have a custom scheme and want to
    load resources? do you rely on the interception API?

    Niklas: in iOS, any request on that custom scheme gets
    intercepted (usually a simple mapping to the filesystem)

    Rayan: any impact on performance / latency?

    Niklas: this hasn't been an issue in the apps I've worked on

    Dom: where would we go next after we converge on these

    Rayan: there is interest on Android WebView once there is more
    clarity on https vs custom schemes
    … Andy from the Windows webview is also participating in the

    Niklas: I'll ping my contacts on WebKit webviews

   [12]Controlled Frame explainer FYI and review

      [12] https://github.com/WebView-CG/explainers/issues/3

    Rayan: this is a WebView for the Web
    … different fenced iframe, only available for isolated web apps
    … it comes with guarantees - it runs outside of the context of
    the embedding web app, works as if it was a top level context
    … there is exploration to provide WebView-like APIs to control
    web content
    … hence the intersection with our CG

    [13]Controlled Frame explainer


    Rayan: they're seeking feedback on the explainer from the CG

    Qing: this is only for isolated web apps - not for hybrid apps?

    Rayan: correct - it wouldn't work on any web site
    … only for isolated web apps where resources are packaged in a
    web bundle

    Niklas: I used to work on a Web app that used iframes
    extensively for a widget system
    … it would be cool to have full control over the embedded pages
    when combine frames in your main app
    … I need to get a better understanding of isolated web apps

    Rayan: the explainer details how it differs from iframes and
    why it is necessary


    Rayan: there is ongoing work on a device attestation API -
    which is particularly useful for WebViews
    … e.g. a banking app wanting to ensure they're running on a
    non-compromised device
    … it relies on a trusted source that gives signed tokens on
    whether the device has been root, whether the app is trusted,
    … expect an explainer coming in this space to the CG

    Dom: may be worth surfacing that use case in our usage doc

    Rayan: note that this would be a Web Platform feature, not just
    for WebViews - it has utility in anti-fraud contexts
    … but let's wait to see the explainer when we can react with a
    more detailed proposal

    Niklas: looking forward to this, in particular a clearer sense
    of the use cases

     Minutes manually created (not a transcript), formatted by
     [14]scribe.perl version 210 (Wed Jan 11 19:21:32 2023 UTC).

Received on Wednesday, 22 March 2023 08:43:23 UTC