14:00:00 <RRSAgent> RRSAgent has joined #webview
14:00:00 <RRSAgent> logging to https://www.w3.org/2022/08/23-webview-irc
14:00:03 <Zakim> Zakim has joined #webview
14:01:23 <dom> Present+ QingAn, Dom, Rayan, MaxTsoy, NiklasMerz
14:01:29 <dom> Chair: Rayan, QingAn
14:01:44 <dom> Agenda: https://github.com/WebView-CG/usage-and-challenges/blob/main/meetings/8th-meeting-agenda-220823.md
14:01:59 <dom> Present+ ThomasSteiner, JonathanKingston
14:02:26 <dom> Present+ Ovidio_Ruiz-Henriquez
14:03:16 <dom> Present+ Tim_Cappalli
14:04:00 <dom> QingAn: this is our last meeting before TPAC; beyond issues, we should also discuss our TPAC logistics and agenda
14:04:16 <dom> Topic: Andy_Luhrs
14:04:20 <dom> Topic: -> https://github.com/WebView-CG/usage-and-challenges/issues?q=is%3Aissue+is%3Aopen+label%3AAgenda%2B Review and discuss use cases
14:04:26 <dom> s/Topic: A/Present+ A/
14:04:31 <dom> RRSAgent, draft minutes
14:04:31 <RRSAgent> I have made the request to generate https://www.w3.org/2022/08/23-webview-minutes.html dom
14:04:42 <dom> Subtopic: Different type of Webviews #19
14:04:43 <ghurlbot> https://github.com/WebView-CG/usage-and-challenges/issues/19 -> Issue 19 Define different types of webviews (NiklasMerz) use case, Agenda+
14:05:00 <dom> Qing: we're close to agree this is a use case worth adopting
14:05:48 <dom> ... with a distinction between "full webviews" and webview-like browser experience
14:06:19 <dom> Niklas: +1
14:06:27 <dom> Qing: I'll work on a PR towards that
14:06:47 <dom> Subtopic: Web storage and cookies #24
14:06:47 <ghurlbot> https://github.com/WebView-CG/usage-and-challenges/issues/24 -> Issue 24 Manage web storage and cookies (muodov) use case, Agenda+
14:08:01 <dom> QingAn: any suggested next step for this issue?
14:08:16 <dom> Max: all the webviews provide this feature one way or another
14:08:26 <dom> ... there are legit use cases for this
14:08:31 <dom> ... I think it should be included
14:09:03 <dom> QingAn: could we add more detailed to the use case?
14:09:18 <QingAn> q?
14:09:42 <dom> Andy: this is already doable with injected JS in any case
14:10:16 <dom> q+ to ask if we should classify use cases (document security issues?) based on the type of usage (e.g. in-app-browser vs 1st-party rendering)
14:12:23 <dom> ack me
14:12:23 <Zakim> dom, you wanted to ask if we should classify use cases (document security issues?) based on the type of usage (e.g. in-app-browser vs 1st-party rendering)
14:12:30 <dom> dom:  we should classify use cases (document security issues?) based on the type of usage (e.g. in-app-browser vs 1st-party rendering)
14:13:05 <dom> rayan: +1 - this is a valid use case, but the context of when it is being used matters, with different security & privacy implications
14:13:41 <dom> QingAn: ok, so we'll mark it as valid and iterate on security / privacy considerations separatley
14:14:24 <dom> Subtopic: Disabling Web platform features & APIs #29
14:14:24 <ghurlbot> https://github.com/WebView-CG/usage-and-challenges/issues/29 -> Issue 29 Disable web platform features and web APIs (muodov) use case, Agenda+
14:14:38 <dom> Max: this is a more narrow use case, coming from our privacy-focused browser
14:14:56 <dom> ... there are cases where we want to disable Web APIs that would otherwise be available to Web pages
14:15:25 <dom> ... sometimes this can be done through JS injection (e.g. by nullifying globals),
14:15:55 <dom> Rayan: which type of features are you thinking of? generally web exposed features? or things gated by permissions
14:16:17 <dom> Jonathan: one example is WebFonts - we can't reduce entropy associated with it
14:16:45 <dom> ... we're also modifying e.g. canvas APIs for privacy perservation
14:17:19 <dom> Andy: privacy-relevant APIs would traditionally be behind permissions, which could be handled through our permission discussion
14:17:26 <QingAn> q?
14:17:31 <dom> Jonathan: fonts or canvas aren't gated by permissions
14:19:00 <dom> ... this is probably not just a flat on/off switch which would not be web compatible
14:21:09 <dom> Dom: the use case probably needs more detailed - not sure if there is a generic mechanism that would work across features / APIs
14:21:19 <dom> ... would be worth flushing out
14:21:26 <dom> Jonathan: we can do that indeed
14:22:02 <dom> Max: some of this can managed through JS injection, so maybe we can leave it for later while we collect more details
14:22:11 <dom> RRSAgent, draft minutes
14:22:11 <RRSAgent> I have made the request to generate https://www.w3.org/2022/08/23-webview-minutes.html dom
14:22:16 <dom> RRSAgent, make log public
14:22:56 <dom> Subtopic: Intercept / Modify network traffic #30
14:22:56 <ghurlbot> https://github.com/WebView-CG/usage-and-challenges/issues/30 -> Issue 30 Intercept / modify network traffic (muodov) use case, Agenda+
14:23:15 <dom> Max: this is a follow up to what has been discussed in other issues
14:23:24 <dom> ... intercepting HTTP requests / responses and headers
14:23:36 <dom> ... clearly a very security sensitive topics
14:23:45 <dom> ... all webviews support this one way or another
14:24:31 <dom> q+ to ask about intersection with webdriver
14:26:04 <dom> dom: have we discussed if and how webdriver could help deal with some of these issues; not sure what's the picture of webdriver support in webviews
14:26:33 <dom> max: not sure webdrivier is supported in webviews atm
14:26:56 <dom> niklas: intercept are available in both ios and android but with very different capabilities
14:27:09 <dom> ... some greater interop would help apps
14:27:47 <dom> Rayan: in terms of having similar behaviors across platforms - would inject a service worker help here?
14:27:57 <dom> ... we had a similar discussion for pre-caching where this wouldn't work
14:28:20 <dom> ... but here, would it work as an interoperable basis?
14:28:50 <dom> Max: for full browser use cases, this wouldn't be enough because of the same-origin policies which would block intercepting 3rd-party requests
14:29:06 <dom> ... the closest thing that exists is the WebExtension API that allow some blocking / rewriting
14:29:28 <dom> ... but even there, we have some important limitations in what you can actually see / intercept
14:29:40 <dom> ... it would be nice to have something similar and possibly more powerful in fullfledged webviews
14:29:46 <dom> ... provided that the security part is handled of course
14:30:16 <dom> Andy: WebView2 is drastically differetn from ios and android too - different across the board
14:30:19 <dom> q+
14:31:49 <dom> dom: I'm hearing lots of variations across platform but also a commonality of them being available
14:32:01 <dom> ... would be interesting to get a clearer picture of these variations and possibly their motivation
14:32:11 <dom> Niklas: I can build a summary for Android and ios
14:32:25 <dom> Andy: will be happy to complete that for WebView2
14:33:03 <dom> Subtopic: Gather Diagnostic Data #33
14:33:04 <ghurlbot> https://github.com/WebView-CG/usage-and-challenges/issues/33 -> Issue 33 Gather Diagnostic Data (aluhrs13) use case, Agenda+
14:34:11 <dom> Andy: we expose APIs in WebView2 to gather data about performance trace, heap/stack snapshot - getting detailed diagnostics has proved valuable to developers with complex app
14:34:24 <dom> ... they're harder to obtain in a browser case
14:35:17 <dom> dom: are they used during development, or shipped to end users?
14:35:39 <dom> andy: the latter - mostly in the feedback flow
14:35:52 <dom> dom: ok, so shipped to end users and thus of the value of commonality
14:36:12 <dom> QingAn: any reaction on this being valid?
14:36:22 <dom> Max: would be useful to document if this available on other platforms as well
14:36:59 <dom> ... can someone help with that?
14:37:21 <dom> Rayan: I can add context on the Android side of things
14:37:36 <dom> ... the webview runs in-process of the app, so a WebView crash takes the app down
14:37:47 <dom> ... there is a crash event that developers can exploit
14:38:07 <dom> ... for delegated Webviews à la custom-tab, there won't be anything available
14:38:15 <dom> Niklas: similar for iOS
14:38:45 <dom> Andy: it might also be interesting to analyse Chromium Embedded Framework (CEF) and Electron
14:39:09 <dom> ... they too provide additional diagnostics tools, incl path to upload them
14:39:16 <dom> ... I can document them
14:39:38 <dom> QingAn: let's keep discussing on the issue then
14:40:04 <dom> Subtopic: Challenge: Apps can use WebViews to bypass web security standards, privacy standards, and user choice. #36
14:40:04 <ghurlbot> https://github.com/WebView-CG/usage-and-challenges/issues/36 -> Issue 36 Challenge: Apps can use WebViews to bypass web security standards, privacy standards, and user choice. (aluhrs13) use case, Agenda+
14:40:36 <dom> Andy: this issue is at odd with a lot of what we've been discussing so far :)
14:41:15 <dom> ... this will underly a lot of our discussions about allowing to build a browsers vs keeping the right set of security & privacy
14:44:42 <dom> dom: thanks for raising this important issue; I think we may struggle to deal with the underlying policy question about what constitutes a user agent, but we should be able to say that you only get access to additional capabilities by accepting the additional responsibilities of being a user agent
14:45:42 <dom> andy: can we already document this as a challenge in the doc, without diving into the details yet?
14:45:48 <dom> [thumbs up from max & dom]
14:46:56 <dom> QingAn: is #31 independent or should we discuss them together?
14:46:56 <ghurlbot> https://github.com/WebView-CG/usage-and-challenges/issues/31 -> Issue 31 WebView security model vs same-origin policy (muodov)
14:47:22 <dom> Max: I think they're strongly tied - this is about how the Web security model gets mapped to native security models
14:47:35 <dom> ... I think we should split #36 in different pieces
14:49:41 <dom> Topic: Other issues
14:49:55 <dom> Subtopic: Clarifications about Web Bundles, WebViews & MiniApps #34
14:49:55 <ghurlbot> https://github.com/WebView-CG/usage-and-challenges/issues/34 -> Issue 34 Clarification around Web Bundles, WebViews, and MiniApps? (aluhrs13) Agenda+
14:50:09 <dom> Andy: this arose while I was researching one of my issues
14:50:30 <dom> ... I'm not sure of how much overlap we have with other efforts such as Web Bundles or MiniApps
14:50:50 <dom> ... it may be useful to document these
14:51:05 <dom> QingAn: not sure we have anyone familiar with Web Bundles
14:51:10 <dom> ... I can provide information with MiniApps
14:51:35 <dom> ... I have committed to provide background on how MiniApps use WebViews, which I still have to get to
14:52:18 <dom> dom: epub might be another category to document
14:52:44 <dom> QingAn: we could see if Brady might help with that
14:53:26 <dom> ... let's collect more info in that issue
14:54:00 <dom> Topic: TPAC agenda
14:54:03 <dom> #35
14:54:11 <ghurlbot> https://github.com/WebView-CG/usage-and-challenges/issues/35 -> Issue 35 TPAC agenda (rayankans) Agenda+
14:54:24 <dom> QingAn: we have a meeting scheduled on Friday of TPAC week for which we have a draft agenda
14:54:39 <dom> ... we'll introduce our CG report on usage scenarios & challenges
14:54:56 <dom> ... then dive into open issues, before discussing next steps
14:55:56 <dom> ... Dom also suggested to run a breakout meeting during the TPAC breakout day
14:56:01 <dom> ... we're evaluating this
14:56:17 <dom> s/day/day on Wednesday
14:56:41 <dom> ... we could introduce the CG report as a way to recruit more participants in the CG
14:58:12 <dom> ... TPAC will be hybrid with remote participants - you have to register and pay the fee to participate
14:58:19 <dom> dom: note that there is no-question-asked fee waiver
15:02:32 <dom> QingAn: next meeting on Sep 16 during TPAC - please register!
15:02:58 <dom> RRSAgent, draft minutes
15:02:58 <RRSAgent> I have made the request to generate https://www.w3.org/2022/08/23-webview-minutes.html dom
15:03:50 <dom> Meeting: WebView CG
15:03:51 <dom> RRSAgent, draft minutes
15:03:51 <RRSAgent> I have made the request to generate https://www.w3.org/2022/08/23-webview-minutes.html dom
16:45:01 <Zakim> Zakim has left #webview