IRC log of webview on 2022-08-23
Timestamps are in UTC.
- 14:00:00 [RRSAgent]
- RRSAgent has joined #webview
- 14:00:00 [RRSAgent]
- logging to https://www.w3.org/2022/08/23-webview-irc
- 14:00:03 [Zakim]
- Zakim has joined #webview
- 14:01:23 [dom]
- Present+ QingAn, Dom, Rayan, MaxTsoy, NiklasMerz
- 14:01:29 [dom]
- Chair: Rayan, QingAn
- 14:01:44 [dom]
- Agenda: https://github.com/WebView-CG/usage-and-challenges/blob/main/meetings/8th-meeting-agenda-220823.md
- 14:01:59 [dom]
- Present+ ThomasSteiner, JonathanKingston
- 14:02:26 [dom]
- Present+ Ovidio_Ruiz-Henriquez
- 14:03:16 [dom]
- Present+ Tim_Cappalli
- 14:04:00 [dom]
- QingAn: this is our last meeting before TPAC; beyond issues, we should also discuss our TPAC logistics and agenda
- 14:04:16 [dom]
- Topic: Andy_Luhrs
- 14:04:20 [dom]
- Topic: -> https://github.com/WebView-CG/usage-and-challenges/issues?q=is%3Aissue+is%3Aopen+label%3AAgenda%2B Review and discuss use cases
- 14:04:26 [dom]
- s/Topic: A/Present+ A/
- 14:04:31 [dom]
- RRSAgent, draft minutes
- 14:04:31 [RRSAgent]
- I have made the request to generate https://www.w3.org/2022/08/23-webview-minutes.html dom
- 14:04:42 [dom]
- Subtopic: Different type of Webviews #19
- 14:04:43 [ghurlbot]
- https://github.com/WebView-CG/usage-and-challenges/issues/19 -> Issue 19 Define different types of webviews (NiklasMerz) use case, Agenda+
- 14:05:00 [dom]
- Qing: we're close to agree this is a use case worth adopting
- 14:05:48 [dom]
- ... with a distinction between "full webviews" and webview-like browser experience
- 14:06:19 [dom]
- Niklas: +1
- 14:06:27 [dom]
- Qing: I'll work on a PR towards that
- 14:06:47 [dom]
- Subtopic: Web storage and cookies #24
- 14:06:47 [ghurlbot]
- https://github.com/WebView-CG/usage-and-challenges/issues/24 -> Issue 24 Manage web storage and cookies (muodov) use case, Agenda+
- 14:08:01 [dom]
- QingAn: any suggested next step for this issue?
- 14:08:16 [dom]
- Max: all the webviews provide this feature one way or another
- 14:08:26 [dom]
- ... there are legit use cases for this
- 14:08:31 [dom]
- ... I think it should be included
- 14:09:03 [dom]
- QingAn: could we add more detailed to the use case?
- 14:09:18 [QingAn]
- q?
- 14:09:42 [dom]
- Andy: this is already doable with injected JS in any case
- 14:10:16 [dom]
- q+ to ask if we should classify use cases (document security issues?) based on the type of usage (e.g. in-app-browser vs 1st-party rendering)
- 14:12:23 [dom]
- ack me
- 14:12:23 [Zakim]
- dom, you wanted to ask if we should classify use cases (document security issues?) based on the type of usage (e.g. in-app-browser vs 1st-party rendering)
- 14:12:30 [dom]
- dom: we should classify use cases (document security issues?) based on the type of usage (e.g. in-app-browser vs 1st-party rendering)
- 14:13:05 [dom]
- rayan: +1 - this is a valid use case, but the context of when it is being used matters, with different security & privacy implications
- 14:13:41 [dom]
- QingAn: ok, so we'll mark it as valid and iterate on security / privacy considerations separatley
- 14:14:24 [dom]
- Subtopic: Disabling Web platform features & APIs #29
- 14:14:24 [ghurlbot]
- https://github.com/WebView-CG/usage-and-challenges/issues/29 -> Issue 29 Disable web platform features and web APIs (muodov) use case, Agenda+
- 14:14:38 [dom]
- Max: this is a more narrow use case, coming from our privacy-focused browser
- 14:14:56 [dom]
- ... there are cases where we want to disable Web APIs that would otherwise be available to Web pages
- 14:15:25 [dom]
- ... sometimes this can be done through JS injection (e.g. by nullifying globals),
- 14:15:55 [dom]
- Rayan: which type of features are you thinking of? generally web exposed features? or things gated by permissions
- 14:16:17 [dom]
- Jonathan: one example is WebFonts - we can't reduce entropy associated with it
- 14:16:45 [dom]
- ... we're also modifying e.g. canvas APIs for privacy perservation
- 14:17:19 [dom]
- Andy: privacy-relevant APIs would traditionally be behind permissions, which could be handled through our permission discussion
- 14:17:26 [QingAn]
- q?
- 14:17:31 [dom]
- Jonathan: fonts or canvas aren't gated by permissions
- 14:19:00 [dom]
- ... this is probably not just a flat on/off switch which would not be web compatible
- 14:21:09 [dom]
- Dom: the use case probably needs more detailed - not sure if there is a generic mechanism that would work across features / APIs
- 14:21:19 [dom]
- ... would be worth flushing out
- 14:21:26 [dom]
- Jonathan: we can do that indeed
- 14:22:02 [dom]
- Max: some of this can managed through JS injection, so maybe we can leave it for later while we collect more details
- 14:22:11 [dom]
- RRSAgent, draft minutes
- 14:22:11 [RRSAgent]
- I have made the request to generate https://www.w3.org/2022/08/23-webview-minutes.html dom
- 14:22:16 [dom]
- RRSAgent, make log public
- 14:22:56 [dom]
- Subtopic: Intercept / Modify network traffic #30
- 14:22:56 [ghurlbot]
- https://github.com/WebView-CG/usage-and-challenges/issues/30 -> Issue 30 Intercept / modify network traffic (muodov) use case, Agenda+
- 14:23:15 [dom]
- Max: this is a follow up to what has been discussed in other issues
- 14:23:24 [dom]
- ... intercepting HTTP requests / responses and headers
- 14:23:36 [dom]
- ... clearly a very security sensitive topics
- 14:23:45 [dom]
- ... all webviews support this one way or another
- 14:24:31 [dom]
- q+ to ask about intersection with webdriver
- 14:26:04 [dom]
- dom: have we discussed if and how webdriver could help deal with some of these issues; not sure what's the picture of webdriver support in webviews
- 14:26:33 [dom]
- max: not sure webdrivier is supported in webviews atm
- 14:26:56 [dom]
- niklas: intercept are available in both ios and android but with very different capabilities
- 14:27:09 [dom]
- ... some greater interop would help apps
- 14:27:47 [dom]
- Rayan: in terms of having similar behaviors across platforms - would inject a service worker help here?
- 14:27:57 [dom]
- ... we had a similar discussion for pre-caching where this wouldn't work
- 14:28:20 [dom]
- ... but here, would it work as an interoperable basis?
- 14:28:50 [dom]
- Max: for full browser use cases, this wouldn't be enough because of the same-origin policies which would block intercepting 3rd-party requests
- 14:29:06 [dom]
- ... the closest thing that exists is the WebExtension API that allow some blocking / rewriting
- 14:29:28 [dom]
- ... but even there, we have some important limitations in what you can actually see / intercept
- 14:29:40 [dom]
- ... it would be nice to have something similar and possibly more powerful in fullfledged webviews
- 14:29:46 [dom]
- ... provided that the security part is handled of course
- 14:30:16 [dom]
- Andy: WebView2 is drastically differetn from ios and android too - different across the board
- 14:30:19 [dom]
- q+
- 14:31:49 [dom]
- dom: I'm hearing lots of variations across platform but also a commonality of them being available
- 14:32:01 [dom]
- ... would be interesting to get a clearer picture of these variations and possibly their motivation
- 14:32:11 [dom]
- Niklas: I can build a summary for Android and ios
- 14:32:25 [dom]
- Andy: will be happy to complete that for WebView2
- 14:33:03 [dom]
- Subtopic: Gather Diagnostic Data #33
- 14:33:04 [ghurlbot]
- https://github.com/WebView-CG/usage-and-challenges/issues/33 -> Issue 33 Gather Diagnostic Data (aluhrs13) use case, Agenda+
- 14:34:11 [dom]
- Andy: we expose APIs in WebView2 to gather data about performance trace, heap/stack snapshot - getting detailed diagnostics has proved valuable to developers with complex app
- 14:34:24 [dom]
- ... they're harder to obtain in a browser case
- 14:35:17 [dom]
- dom: are they used during development, or shipped to end users?
- 14:35:39 [dom]
- andy: the latter - mostly in the feedback flow
- 14:35:52 [dom]
- dom: ok, so shipped to end users and thus of the value of commonality
- 14:36:12 [dom]
- QingAn: any reaction on this being valid?
- 14:36:22 [dom]
- Max: would be useful to document if this available on other platforms as well
- 14:36:59 [dom]
- ... can someone help with that?
- 14:37:21 [dom]
- Rayan: I can add context on the Android side of things
- 14:37:36 [dom]
- ... the webview runs in-process of the app, so a WebView crash takes the app down
- 14:37:47 [dom]
- ... there is a crash event that developers can exploit
- 14:38:07 [dom]
- ... for delegated Webviews à la custom-tab, there won't be anything available
- 14:38:15 [dom]
- Niklas: similar for iOS
- 14:38:45 [dom]
- Andy: it might also be interesting to analyse Chromium Embedded Framework (CEF) and Electron
- 14:39:09 [dom]
- ... they too provide additional diagnostics tools, incl path to upload them
- 14:39:16 [dom]
- ... I can document them
- 14:39:38 [dom]
- QingAn: let's keep discussing on the issue then
- 14:40:04 [dom]
- Subtopic: Challenge: Apps can use WebViews to bypass web security standards, privacy standards, and user choice. #36
- 14:40:04 [ghurlbot]
- https://github.com/WebView-CG/usage-and-challenges/issues/36 -> Issue 36 Challenge: Apps can use WebViews to bypass web security standards, privacy standards, and user choice. (aluhrs13) use case, Agenda+
- 14:40:36 [dom]
- Andy: this issue is at odd with a lot of what we've been discussing so far :)
- 14:41:15 [dom]
- ... this will underly a lot of our discussions about allowing to build a browsers vs keeping the right set of security & privacy
- 14:44:42 [dom]
- dom: thanks for raising this important issue; I think we may struggle to deal with the underlying policy question about what constitutes a user agent, but we should be able to say that you only get access to additional capabilities by accepting the additional responsibilities of being a user agent
- 14:45:42 [dom]
- andy: can we already document this as a challenge in the doc, without diving into the details yet?
- 14:45:48 [dom]
- [thumbs up from max & dom]
- 14:46:56 [dom]
- QingAn: is #31 independent or should we discuss them together?
- 14:46:56 [ghurlbot]
- https://github.com/WebView-CG/usage-and-challenges/issues/31 -> Issue 31 WebView security model vs same-origin policy (muodov)
- 14:47:22 [dom]
- Max: I think they're strongly tied - this is about how the Web security model gets mapped to native security models
- 14:47:35 [dom]
- ... I think we should split #36 in different pieces
- 14:49:41 [dom]
- Topic: Other issues
- 14:49:55 [dom]
- Subtopic: Clarifications about Web Bundles, WebViews & MiniApps #34
- 14:49:55 [ghurlbot]
- https://github.com/WebView-CG/usage-and-challenges/issues/34 -> Issue 34 Clarification around Web Bundles, WebViews, and MiniApps? (aluhrs13) Agenda+
- 14:50:09 [dom]
- Andy: this arose while I was researching one of my issues
- 14:50:30 [dom]
- ... I'm not sure of how much overlap we have with other efforts such as Web Bundles or MiniApps
- 14:50:50 [dom]
- ... it may be useful to document these
- 14:51:05 [dom]
- QingAn: not sure we have anyone familiar with Web Bundles
- 14:51:10 [dom]
- ... I can provide information with MiniApps
- 14:51:35 [dom]
- ... I have committed to provide background on how MiniApps use WebViews, which I still have to get to
- 14:52:18 [dom]
- dom: epub might be another category to document
- 14:52:44 [dom]
- QingAn: we could see if Brady might help with that
- 14:53:26 [dom]
- ... let's collect more info in that issue
- 14:54:00 [dom]
- Topic: TPAC agenda
- 14:54:03 [dom]
- #35
- 14:54:11 [ghurlbot]
- https://github.com/WebView-CG/usage-and-challenges/issues/35 -> Issue 35 TPAC agenda (rayankans) Agenda+
- 14:54:24 [dom]
- QingAn: we have a meeting scheduled on Friday of TPAC week for which we have a draft agenda
- 14:54:39 [dom]
- ... we'll introduce our CG report on usage scenarios & challenges
- 14:54:56 [dom]
- ... then dive into open issues, before discussing next steps
- 14:55:56 [dom]
- ... Dom also suggested to run a breakout meeting during the TPAC breakout day
- 14:56:01 [dom]
- ... we're evaluating this
- 14:56:17 [dom]
- s/day/day on Wednesday
- 14:56:41 [dom]
- ... we could introduce the CG report as a way to recruit more participants in the CG
- 14:58:12 [dom]
- ... TPAC will be hybrid with remote participants - you have to register and pay the fee to participate
- 14:58:19 [dom]
- dom: note that there is no-question-asked fee waiver
- 15:02:32 [dom]
- QingAn: next meeting on Sep 16 during TPAC - please register!
- 15:02:58 [dom]
- RRSAgent, draft minutes
- 15:02:58 [RRSAgent]
- I have made the request to generate https://www.w3.org/2022/08/23-webview-minutes.html dom
- 15:03:50 [dom]
- Meeting: WebView CG
- 15:03:51 [dom]
- RRSAgent, draft minutes
- 15:03:51 [RRSAgent]
- I have made the request to generate https://www.w3.org/2022/08/23-webview-minutes.html dom
- 16:45:01 [Zakim]
- Zakim has left #webview