Meeting minutes
QingAn: this is our last meeting before TPAC; beyond issues, we should also discuss our TPAC logistics and agenda
Review and discuss use cases
Different type of Webviews #19
<ghurlbot> Issue 19 Define different types of webviews (NiklasMerz) use case, Agenda+
Qing: we're close to agree this is a use case worth adopting
… with a distinction between "full webviews" and webview-like browser experience
Niklas: +1
Qing: I'll work on a PR towards that
Web storage and cookies #24
<ghurlbot> Issue 24 Manage web storage and cookies (muodov) use case, Agenda+
QingAn: any suggested next step for this issue?
Max: all the webviews provide this feature one way or another
… there are legit use cases for this
… I think it should be included
QingAn: could we add more detailed to the use case?
Andy: this is already doable with injected JS in any case
<Zakim> dom, you wanted to ask if we should classify use cases (document security issues?) based on the type of usage (e.g. in-app-browser vs 1st-party rendering)
dom: we should classify use cases (document security issues?) based on the type of usage (e.g. in-app-browser vs 1st-party rendering)
rayan: +1 - this is a valid use case, but the context of when it is being used matters, with different security & privacy implications
QingAn: ok, so we'll mark it as valid and iterate on security / privacy considerations separatley
Disabling Web platform features & APIs #29
<ghurlbot> Issue 29 Disable web platform features and web APIs (muodov) use case, Agenda+
Max: this is a more narrow use case, coming from our privacy-focused browser
… there are cases where we want to disable Web APIs that would otherwise be available to Web pages
… sometimes this can be done through JS injection (e.g. by nullifying globals),
Rayan: which type of features are you thinking of? generally web exposed features? or things gated by permissions
Jonathan: one example is WebFonts - we can't reduce entropy associated with it
… we're also modifying e.g. canvas APIs for privacy perservation
Andy: privacy-relevant APIs would traditionally be behind permissions, which could be handled through our permission discussion
Jonathan: fonts or canvas aren't gated by permissions
… this is probably not just a flat on/off switch which would not be web compatible
Dom: the use case probably needs more detailed - not sure if there is a generic mechanism that would work across features / APIs
… would be worth flushing out
Jonathan: we can do that indeed
Max: some of this can managed through JS injection, so maybe we can leave it for later while we collect more details
Intercept / Modify network traffic #30
<ghurlbot> Issue 30 Intercept / modify network traffic (muodov) use case, Agenda+
Max: this is a follow up to what has been discussed in other issues
… intercepting HTTP requests / responses and headers
… clearly a very security sensitive topics
… all webviews support this one way or another
dom: have we discussed if and how webdriver could help deal with some of these issues; not sure what's the picture of webdriver support in webviews
max: not sure webdrivier is supported in webviews atm
niklas: intercept are available in both ios and android but with very different capabilities
… some greater interop would help apps
Rayan: in terms of having similar behaviors across platforms - would inject a service worker help here?
… we had a similar discussion for pre-caching where this wouldn't work
… but here, would it work as an interoperable basis?
Max: for full browser use cases, this wouldn't be enough because of the same-origin policies which would block intercepting 3rd-party requests
… the closest thing that exists is the WebExtension API that allow some blocking / rewriting
… but even there, we have some important limitations in what you can actually see / intercept
… it would be nice to have something similar and possibly more powerful in fullfledged webviews
… provided that the security part is handled of course
Andy: WebView2 is drastically differetn from ios and android too - different across the board
dom: I'm hearing lots of variations across platform but also a commonality of them being available
… would be interesting to get a clearer picture of these variations and possibly their motivation
Niklas: I can build a summary for Android and ios
Andy: will be happy to complete that for WebView2
Gather Diagnostic Data #33
<ghurlbot> Issue 33 Gather Diagnostic Data (aluhrs13) use case, Agenda+
Andy: we expose APIs in WebView2 to gather data about performance trace, heap/stack snapshot - getting detailed diagnostics has proved valuable to developers with complex app
… they're harder to obtain in a browser case
dom: are they used during development, or shipped to end users?
andy: the latter - mostly in the feedback flow
dom: ok, so shipped to end users and thus of the value of commonality
QingAn: any reaction on this being valid?
Max: would be useful to document if this available on other platforms as well
… can someone help with that?
Rayan: I can add context on the Android side of things
… the webview runs in-process of the app, so a WebView crash takes the app down
… there is a crash event that developers can exploit
… for delegated Webviews à la custom-tab, there won't be anything available
Niklas: similar for iOS
Andy: it might also be interesting to analyse Chromium Embedded Framework (CEF) and Electron
… they too provide additional diagnostics tools, incl path to upload them
… I can document them
QingAn: let's keep discussing on the issue then
Challenge: Apps can use WebViews to bypass web security standards, privacy standards, and user choice. #36
Andy: this issue is at odd with a lot of what we've been discussing so far :)
… this will underly a lot of our discussions about allowing to build a browsers vs keeping the right set of security & privacy
dom: thanks for raising this important issue; I think we may struggle to deal with the underlying policy question about what constitutes a user agent, but we should be able to say that you only get access to additional capabilities by accepting the additional responsibilities of being a user agent
andy: can we already document this as a challenge in the doc, without diving into the details yet?
[thumbs up from max & dom]
QingAn: is #31 independent or should we discuss them together?
<ghurlbot> Issue 31 WebView security model vs same-origin policy (muodov)
Max: I think they're strongly tied - this is about how the Web security model gets mapped to native security models
… I think we should split #36 in different pieces
Other issues
Clarifications about Web Bundles, WebViews & MiniApps #34
<ghurlbot> Issue 34 Clarification around Web Bundles, WebViews, and MiniApps? (aluhrs13) Agenda+
Andy: this arose while I was researching one of my issues
… I'm not sure of how much overlap we have with other efforts such as Web Bundles or MiniApps
… it may be useful to document these
QingAn: not sure we have anyone familiar with Web Bundles
… I can provide information with MiniApps
… I have committed to provide background on how MiniApps use WebViews, which I still have to get to
dom: epub might be another category to document
QingAn: we could see if Brady might help with that
… let's collect more info in that issue
TPAC agenda
#35
<ghurlbot> Issue 35 TPAC agenda (rayankans) Agenda+
QingAn: we have a meeting scheduled on Friday of TPAC week for which we have a draft agenda
… we'll introduce our CG report on usage scenarios & challenges
… then dive into open issues, before discussing next steps
… Dom also suggested to run a breakout meeting during the TPAC breakout day on Wednesday
… we're evaluating this
… we could introduce the CG report as a way to recruit more participants in the CG
… TPAC will be hybrid with remote participants - you have to register and pay the fee to participate
dom: note that there is no-question-asked fee waiver
QingAn: next meeting on Sep 16 during TPAC - please register!