IRC log of webview on 2022-08-23

Timestamps are in UTC.

14:00:00 [RRSAgent]
RRSAgent has joined #webview
14:00:00 [RRSAgent]
logging to https://www.w3.org/2022/08/23-webview-irc
14:00:03 [Zakim]
Zakim has joined #webview
14:01:23 [dom]
Present+ QingAn, Dom, Rayan, MaxTsoy, NiklasMerz
14:01:29 [dom]
Chair: Rayan, QingAn
14:01:44 [dom]
Agenda: https://github.com/WebView-CG/usage-and-challenges/blob/main/meetings/8th-meeting-agenda-220823.md
14:01:59 [dom]
Present+ ThomasSteiner, JonathanKingston
14:02:26 [dom]
Present+ Ovidio_Ruiz-Henriquez
14:03:16 [dom]
Present+ Tim_Cappalli
14:04:00 [dom]
QingAn: this is our last meeting before TPAC; beyond issues, we should also discuss our TPAC logistics and agenda
14:04:16 [dom]
Topic: Andy_Luhrs
14:04:20 [dom]
Topic: -> https://github.com/WebView-CG/usage-and-challenges/issues?q=is%3Aissue+is%3Aopen+label%3AAgenda%2B Review and discuss use cases
14:04:26 [dom]
s/Topic: A/Present+ A/
14:04:31 [dom]
RRSAgent, draft minutes
14:04:31 [RRSAgent]
I have made the request to generate https://www.w3.org/2022/08/23-webview-minutes.html dom
14:04:42 [dom]
Subtopic: Different type of Webviews #19
14:04:43 [ghurlbot]
https://github.com/WebView-CG/usage-and-challenges/issues/19 -> Issue 19 Define different types of webviews (NiklasMerz) use case, Agenda+
14:05:00 [dom]
Qing: we're close to agree this is a use case worth adopting
14:05:48 [dom]
... with a distinction between "full webviews" and webview-like browser experience
14:06:19 [dom]
Niklas: +1
14:06:27 [dom]
Qing: I'll work on a PR towards that
14:06:47 [dom]
Subtopic: Web storage and cookies #24
14:06:47 [ghurlbot]
https://github.com/WebView-CG/usage-and-challenges/issues/24 -> Issue 24 Manage web storage and cookies (muodov) use case, Agenda+
14:08:01 [dom]
QingAn: any suggested next step for this issue?
14:08:16 [dom]
Max: all the webviews provide this feature one way or another
14:08:26 [dom]
... there are legit use cases for this
14:08:31 [dom]
... I think it should be included
14:09:03 [dom]
QingAn: could we add more detailed to the use case?
14:09:18 [QingAn]
q?
14:09:42 [dom]
Andy: this is already doable with injected JS in any case
14:10:16 [dom]
q+ to ask if we should classify use cases (document security issues?) based on the type of usage (e.g. in-app-browser vs 1st-party rendering)
14:12:23 [dom]
ack me
14:12:23 [Zakim]
dom, you wanted to ask if we should classify use cases (document security issues?) based on the type of usage (e.g. in-app-browser vs 1st-party rendering)
14:12:30 [dom]
dom: we should classify use cases (document security issues?) based on the type of usage (e.g. in-app-browser vs 1st-party rendering)
14:13:05 [dom]
rayan: +1 - this is a valid use case, but the context of when it is being used matters, with different security & privacy implications
14:13:41 [dom]
QingAn: ok, so we'll mark it as valid and iterate on security / privacy considerations separatley
14:14:24 [dom]
Subtopic: Disabling Web platform features & APIs #29
14:14:24 [ghurlbot]
https://github.com/WebView-CG/usage-and-challenges/issues/29 -> Issue 29 Disable web platform features and web APIs (muodov) use case, Agenda+
14:14:38 [dom]
Max: this is a more narrow use case, coming from our privacy-focused browser
14:14:56 [dom]
... there are cases where we want to disable Web APIs that would otherwise be available to Web pages
14:15:25 [dom]
... sometimes this can be done through JS injection (e.g. by nullifying globals),
14:15:55 [dom]
Rayan: which type of features are you thinking of? generally web exposed features? or things gated by permissions
14:16:17 [dom]
Jonathan: one example is WebFonts - we can't reduce entropy associated with it
14:16:45 [dom]
... we're also modifying e.g. canvas APIs for privacy perservation
14:17:19 [dom]
Andy: privacy-relevant APIs would traditionally be behind permissions, which could be handled through our permission discussion
14:17:26 [QingAn]
q?
14:17:31 [dom]
Jonathan: fonts or canvas aren't gated by permissions
14:19:00 [dom]
... this is probably not just a flat on/off switch which would not be web compatible
14:21:09 [dom]
Dom: the use case probably needs more detailed - not sure if there is a generic mechanism that would work across features / APIs
14:21:19 [dom]
... would be worth flushing out
14:21:26 [dom]
Jonathan: we can do that indeed
14:22:02 [dom]
Max: some of this can managed through JS injection, so maybe we can leave it for later while we collect more details
14:22:11 [dom]
RRSAgent, draft minutes
14:22:11 [RRSAgent]
I have made the request to generate https://www.w3.org/2022/08/23-webview-minutes.html dom
14:22:16 [dom]
RRSAgent, make log public
14:22:56 [dom]
Subtopic: Intercept / Modify network traffic #30
14:22:56 [ghurlbot]
https://github.com/WebView-CG/usage-and-challenges/issues/30 -> Issue 30 Intercept / modify network traffic (muodov) use case, Agenda+
14:23:15 [dom]
Max: this is a follow up to what has been discussed in other issues
14:23:24 [dom]
... intercepting HTTP requests / responses and headers
14:23:36 [dom]
... clearly a very security sensitive topics
14:23:45 [dom]
... all webviews support this one way or another
14:24:31 [dom]
q+ to ask about intersection with webdriver
14:26:04 [dom]
dom: have we discussed if and how webdriver could help deal with some of these issues; not sure what's the picture of webdriver support in webviews
14:26:33 [dom]
max: not sure webdrivier is supported in webviews atm
14:26:56 [dom]
niklas: intercept are available in both ios and android but with very different capabilities
14:27:09 [dom]
... some greater interop would help apps
14:27:47 [dom]
Rayan: in terms of having similar behaviors across platforms - would inject a service worker help here?
14:27:57 [dom]
... we had a similar discussion for pre-caching where this wouldn't work
14:28:20 [dom]
... but here, would it work as an interoperable basis?
14:28:50 [dom]
Max: for full browser use cases, this wouldn't be enough because of the same-origin policies which would block intercepting 3rd-party requests
14:29:06 [dom]
... the closest thing that exists is the WebExtension API that allow some blocking / rewriting
14:29:28 [dom]
... but even there, we have some important limitations in what you can actually see / intercept
14:29:40 [dom]
... it would be nice to have something similar and possibly more powerful in fullfledged webviews
14:29:46 [dom]
... provided that the security part is handled of course
14:30:16 [dom]
Andy: WebView2 is drastically differetn from ios and android too - different across the board
14:30:19 [dom]
q+
14:31:49 [dom]
dom: I'm hearing lots of variations across platform but also a commonality of them being available
14:32:01 [dom]
... would be interesting to get a clearer picture of these variations and possibly their motivation
14:32:11 [dom]
Niklas: I can build a summary for Android and ios
14:32:25 [dom]
Andy: will be happy to complete that for WebView2
14:33:03 [dom]
Subtopic: Gather Diagnostic Data #33
14:33:04 [ghurlbot]
https://github.com/WebView-CG/usage-and-challenges/issues/33 -> Issue 33 Gather Diagnostic Data (aluhrs13) use case, Agenda+
14:34:11 [dom]
Andy: we expose APIs in WebView2 to gather data about performance trace, heap/stack snapshot - getting detailed diagnostics has proved valuable to developers with complex app
14:34:24 [dom]
... they're harder to obtain in a browser case
14:35:17 [dom]
dom: are they used during development, or shipped to end users?
14:35:39 [dom]
andy: the latter - mostly in the feedback flow
14:35:52 [dom]
dom: ok, so shipped to end users and thus of the value of commonality
14:36:12 [dom]
QingAn: any reaction on this being valid?
14:36:22 [dom]
Max: would be useful to document if this available on other platforms as well
14:36:59 [dom]
... can someone help with that?
14:37:21 [dom]
Rayan: I can add context on the Android side of things
14:37:36 [dom]
... the webview runs in-process of the app, so a WebView crash takes the app down
14:37:47 [dom]
... there is a crash event that developers can exploit
14:38:07 [dom]
... for delegated Webviews à la custom-tab, there won't be anything available
14:38:15 [dom]
Niklas: similar for iOS
14:38:45 [dom]
Andy: it might also be interesting to analyse Chromium Embedded Framework (CEF) and Electron
14:39:09 [dom]
... they too provide additional diagnostics tools, incl path to upload them
14:39:16 [dom]
... I can document them
14:39:38 [dom]
QingAn: let's keep discussing on the issue then
14:40:04 [dom]
Subtopic: Challenge: Apps can use WebViews to bypass web security standards, privacy standards, and user choice. #36
14:40:04 [ghurlbot]
https://github.com/WebView-CG/usage-and-challenges/issues/36 -> Issue 36 Challenge: Apps can use WebViews to bypass web security standards, privacy standards, and user choice. (aluhrs13) use case, Agenda+
14:40:36 [dom]
Andy: this issue is at odd with a lot of what we've been discussing so far :)
14:41:15 [dom]
... this will underly a lot of our discussions about allowing to build a browsers vs keeping the right set of security & privacy
14:44:42 [dom]
dom: thanks for raising this important issue; I think we may struggle to deal with the underlying policy question about what constitutes a user agent, but we should be able to say that you only get access to additional capabilities by accepting the additional responsibilities of being a user agent
14:45:42 [dom]
andy: can we already document this as a challenge in the doc, without diving into the details yet?
14:45:48 [dom]
[thumbs up from max & dom]
14:46:56 [dom]
QingAn: is #31 independent or should we discuss them together?
14:46:56 [ghurlbot]
https://github.com/WebView-CG/usage-and-challenges/issues/31 -> Issue 31 WebView security model vs same-origin policy (muodov)
14:47:22 [dom]
Max: I think they're strongly tied - this is about how the Web security model gets mapped to native security models
14:47:35 [dom]
... I think we should split #36 in different pieces
14:49:41 [dom]
Topic: Other issues
14:49:55 [dom]
Subtopic: Clarifications about Web Bundles, WebViews & MiniApps #34
14:49:55 [ghurlbot]
https://github.com/WebView-CG/usage-and-challenges/issues/34 -> Issue 34 Clarification around Web Bundles, WebViews, and MiniApps? (aluhrs13) Agenda+
14:50:09 [dom]
Andy: this arose while I was researching one of my issues
14:50:30 [dom]
... I'm not sure of how much overlap we have with other efforts such as Web Bundles or MiniApps
14:50:50 [dom]
... it may be useful to document these
14:51:05 [dom]
QingAn: not sure we have anyone familiar with Web Bundles
14:51:10 [dom]
... I can provide information with MiniApps
14:51:35 [dom]
... I have committed to provide background on how MiniApps use WebViews, which I still have to get to
14:52:18 [dom]
dom: epub might be another category to document
14:52:44 [dom]
QingAn: we could see if Brady might help with that
14:53:26 [dom]
... let's collect more info in that issue
14:54:00 [dom]
Topic: TPAC agenda
14:54:03 [dom]
#35
14:54:11 [ghurlbot]
https://github.com/WebView-CG/usage-and-challenges/issues/35 -> Issue 35 TPAC agenda (rayankans) Agenda+
14:54:24 [dom]
QingAn: we have a meeting scheduled on Friday of TPAC week for which we have a draft agenda
14:54:39 [dom]
... we'll introduce our CG report on usage scenarios & challenges
14:54:56 [dom]
... then dive into open issues, before discussing next steps
14:55:56 [dom]
... Dom also suggested to run a breakout meeting during the TPAC breakout day
14:56:01 [dom]
... we're evaluating this
14:56:17 [dom]
s/day/day on Wednesday
14:56:41 [dom]
... we could introduce the CG report as a way to recruit more participants in the CG
14:58:12 [dom]
... TPAC will be hybrid with remote participants - you have to register and pay the fee to participate
14:58:19 [dom]
dom: note that there is no-question-asked fee waiver
15:02:32 [dom]
QingAn: next meeting on Sep 16 during TPAC - please register!
15:02:58 [dom]
RRSAgent, draft minutes
15:02:58 [RRSAgent]
I have made the request to generate https://www.w3.org/2022/08/23-webview-minutes.html dom
15:03:50 [dom]
Meeting: WebView CG
15:03:51 [dom]
RRSAgent, draft minutes
15:03:51 [RRSAgent]
I have made the request to generate https://www.w3.org/2022/08/23-webview-minutes.html dom
16:45:01 [Zakim]
Zakim has left #webview