20:04:31 RRSAgent has joined #installing-web-apps-breakout-2024 20:04:35 logging to https://www.w3.org/2024/03/12-installing-web-apps-breakout-2024-irc 20:04:35 RRSAgent, do not leave 20:04:35 tidoust has joined #installing-web-apps-breakout-2024 20:04:37 RRSAgent, make logs public 20:04:38 Meeting: Installing web apps as a new platform feature 20:04:38 Chair: Diego Gonzalez-Zuniga, Amanda Baker 20:04:38 Agenda: https://github.com/w3c/breakouts-day-2024/issues/17 20:04:38 Zakim has joined #installing-web-apps-breakout-2024 20:04:39 Zakim, clear agenda 20:04:39 agenda cleared 20:04:39 Zakim, agenda+ Pick a scribe 20:04:40 agendum 1 added 20:04:40 Zakim, agenda+ Reminders: code of conduct, health policies, recorded session policy 20:04:41 agendum 2 added 20:04:41 Zakim, agenda+ Goal of this session 20:04:42 agendum 3 added 20:04:42 Zakim, agenda+ Discussion 20:04:42 agendum 4 added 20:04:42 Zakim, agenda+ Next steps / where discussion continues 20:04:45 agendum 5 added 20:04:45 tpac-breakout-bot has left #installing-web-apps-breakout-2024 20:37:32 Kristin has joined #installing-web-apps-breakout-2024 21:23:47 ambake has joined #installing-web-apps-breakout-2024 21:55:55 koalie has joined #installing-web-apps-breakout-2024 21:55:57 unextro has joined #installing-web-apps-breakout-2024 21:56:09 Zakim, agenda? 21:56:09 I see 5 items remaining on the agenda: 21:56:10 1. Pick a scribe [from tpac-breakout-bot] 21:56:10 2. Reminders: code of conduct, health policies, recorded session policy [from tpac-breakout-bot] 21:56:10 3. Goal of this session [from tpac-breakout-bot] 21:56:11 4. Discussion [from tpac-breakout-bot] 21:56:11 5. Next steps / where discussion continues [from tpac-breakout-bot] 21:57:17 McCool_ has joined #installing-web-apps-breakout-2024 21:58:26 present+ Coralie 21:58:39 Dingwei__ has joined #installing-web-apps-breakout-2024 21:58:49 Present+ 21:59:08 xiaoqian has joined #installing-web-apps-breakout-2024 22:01:59 MasakazuKitahara has joined #installing-web-apps-breakout-2024 22:03:34 -> https://github.com/w3c/breakouts-day-2024/issues/17 Installing web apps as a new platform feature 22:04:27 adamscott_ has joined #installing-web-apps-breakout-2024 22:04:39 adamscott_ has joined #installing-web-apps-breakout-2024 22:04:59 rbyers has joined #installing-web-apps-breakout-2024 22:05:01 adamscott has joined #installing-web-apps-breakout-2024 22:05:12 Howard_Wolosky has joined #installing-web-apps-breakout-2024 22:07:12 Kristin has joined #installing-web-apps-breakout-2024 22:07:14 marcosc_ has joined #installing-web-apps-breakout-2024 22:07:20 Natasha_Gaitonde has joined #installing-web-apps-breakout-2024 22:07:34 scribenick: koalie 22:08:09 [Diego introduces the session, reminds of code of conduct, antitrust policy] 22:08:23 Diego: I'd like to record this session 22:08:34 ... just the presentation. any objection? 22:08:40 present+ 22:08:44 [none] 22:09:01 Diego: hold questions till the end, please 22:09:25 ==== 22:09:34 Zakim, take up item 3 22:09:34 agendum 3 -- Goal of this session -- taken up [from tpac-breakout-bot] 22:09:46 Diego: we want to present a solution 22:09:48 ... discuss it 22:09:56 ... implementers, developers might be on this session 22:10:17 ... and get as much feedback as we can on the future API 22:10:34 ==== 22:11:02 Diego: at the moment we have advanced APIs that enable desktop ux on web apps 22:11:15 ... and we have certain apps that can be distributed through stores 22:11:21 ... we're thinking about installing those 22:11:25 ... Web apps are not new 22:11:30 ... they've existed for a while 22:11:43 ... the web platform at the moment is unable to install content on its own 22:11:58 ... we have limited distribution of web apps, content subject to the rules of app catalog 22:12:10 ... we want to democratize app distribution 22:12:27 ... before we dive into the API and installation, I want to dive into what it means to install 22:12:47 ... think about how this would be integrated with the OS 22:12:59 ... there's also the option to get an icon on the home screen of the device 22:13:10 ... the concept is what you get on firefox and androi devices 22:13:46 ==== 22:13:51 Diego: Install criteria 22:14:15 ... for something to be installable the API must support PWA on Chromium and all the web content on webkit 22:14:33 ... install can mean different things 22:14:51 ... the solution https://aka.ms/webinstall 22:14:57 ... is where you'll find the explainer 22:15:16 ... the idea is that basically we're allowing the platform same- cross- origincontent 22:15:38 ... or it can be a more elegant solution 22:15:52 ... there's an ongoing TAG review (#888) 22:16:06 ... we've filed for positiion statements from Webiit and gecko 22:16:40 ... the more common use-case: creation of online app catalogs 22:16:44 npdoty_ has joined #installing-web-apps-breakout-2024 22:17:10 ... or installs apps from the search engine results page 22:17:18 ... both improve discoverability 22:17:27 ... this is a promise-based method 22:17:43 ... it resolves if an app is installed and rejects errors 22:18:08 ... the parameters are manifest_id, install_url and optional object 22:18:18 ... the former is what to install, the latter is where to find it 22:18:22 ... we'll talk more about this 22:18:41 ... just know that if these do not exsit or aren't supported, they have fallback 22:18:50 ... so that it works on as many platforms 22:19:06 [Amanda Baker takes over] 22:19:30 Amanda: the goals are to enable installation of web apps 22:19:42 ... [diagram of the flow; hand-drawn] 22:20:03 ... the app can request installation 22:20:26 ... not much is downloaded yet 22:20:32 ... it passes params 22:20:45 ... for the same-orig. case, there's a way to use same params 22:20:57 ... e.g. current document that is used as manifest and URL 22:21:35 ... for a cross-origin install the goals are the same: install. enable, suppress spamming, track acquisition 22:21:51 ... [hand-drawn diagram on screen] 22:22:00 ... user gives perm to the site for install, prompted to install 22:22:06 ... you get your locally installed app 22:22:26 ... the cross-origin is the same as before but both files need to be present 22:22:30 ==== 22:22:34 Amanda: make it safe 22:23:11 ... permissions are not auto-granted to install apps 22:23:28 ...we respect same origin security model 22:23:31 ... confirmation by user 22:24:07 ... user activation does gating throughout the installation 22:24:21 ... for x-installation specification the insulation source has to request a permission 22:24:26 ... to prevent sites from spamming 22:24:38 ... if the user doesn't accept, the user won't be prompted to install 22:24:51 ... avoiding installation that isn't wanted 22:24:55 ==== 22:25:00 Amana: install_sources 22:25:06 ... this protects the app 22:25:20 ... it allows the target to gate which app stores 22:25:34 ... by default, installation from all sources is disabled 22:25:42 ... the app can allow certain stores 22:25:53 ==== 22:26:01 Amanda: US's install confirmation prompt 22:26:20 ... confirmation is needed, the UA needs a confirmation prompt 22:27:16 [Alex Kyereboah takes over] 22:27:42 Alex: the acquisition provider 22:28:07 ... capability to track is limited to the provider 22:28:20 ... the provider has a property 22:28:25 ... returns information 22:28:44 ... attribution id is used to track which marketing campaign was used for the installation 22:28:58 ==== 22:29:24 Alex: the current proposal 22:29:43 ... referral info 22:29:56 [Diego takes over] 22:30:08 Diego: Thanks Amanda and Alex. Open discussion 22:30:30 Diego: we have 20 minutes in front of us 22:30:38 ... we gave you an overview of the web install AOI 22:30:49 s/AOI/API/ 22:31:13 q+ About the security model and cross-origin isolation 22:31:16 ... if you have questions, concerns, feedback, please 22:31:21 q+ to talk about the security model and cross-origin isolation 22:31:34 ack next 22:31:35 adamscott, you wanted to talk about the security model and cross-origin isolation 22:31:41 q+ 22:31:42 q+ nick 22:31:53 Adam_Scott: great presentation 22:32:32 ... what about the security model and cross-orig. security-wise between this and PWA? 22:32:36 ... is this metadata? 22:32:45 ... I work for the godot game engine 22:32:58 ... x-org. protection allows us to @@ 22:33:04 ... that helps us to isolate 22:33:22 ... if a website can install small games, accept to more feature requires security 22:33:31 q+ Matthieu_Pheulpin 22:33:51 Diego: in the case of the Chromium implementation of web apps there isn't isolation 22:34:09 ... in that sense it wouldn't change what you can do already: installing a PWA from the browser 22:34:28 ... a permission would be set and taken to the origin's permission site 22:34:37 ... the model that exists for PWA isn't changed 22:34:50 ... we want to provide a way for developers to install web content 22:34:58 ... that is deemed installable on any engine 22:35:14 q- ma 22:35:55 Diego: there are presentations that you can look at. the core here is getting content from the web installed on a device as a link or somethine else 22:35:58 ack nick 22:36:14 Nick_Doty: Center for Democracy Technology 22:36:21 ... concern about the cross-origin 22:36:41 ... what's the benefit for the user regarding unvetted stores 22:36:54 ... seems like it opens up surface for phishing attacks 22:37:34 ... clicking names that people recognise is risky, may undermine the security model we have on the web 22:37:47 Diego: It's a valid concern 22:38:19 ... it's one of the reasons why we not only leave the responsibility to the webiste but also to try to allow the PWA to say "I want to be installed by xyz" 22:38:43 ... some devrel and ecosystem training, talking to developers may be needed 22:38:50 ... as we work with stores 22:38:58 ... we thought a lot about this 22:39:10 ... if you have ideas we should take into account we value your input 22:39:17 q+ mathieu_pheulpin 22:39:31 Amanda: one place where we provide more information is the install prompt 22:39:43 ... we don't provide info on the origin 22:39:53 ... I haven't checked many other platforms and browsers 22:40:06 ... Diego called out sources as protection but that would not address the phishing that Nick mention 22:40:13 ... e.g., taking the user to gmail, 22:40:24 Diego: flashing for a couple a seconds and disappear 22:40:36 ... @@ available for the application menu 22:40:44 ... if there's more we could be doing, let us know 22:40:49 ack rick 22:40:52 ack rb 22:40:59 Rick_Byers: Google Chrome 22:41:03 Amendment: Both Chrome and Edge show the origin attempted to be installed in the installation prompt. 22:41:22 ... in the x-or case, you said something about the known permission model 22:41:28 ... it's a significant mitigation 22:41:34 ... I'm worried about push notifications 22:41:40 ... google screwed up those 22:42:01 ... still being explored but permission elements (pepsi) 22:42:07 ... we've concluded that 22:42:18 https://github.com/WICG/PEPC/blob/main/explainer.md 22:42:38 Rick: if pepsi succeeds it feels like it would apply here 22:43:02 ... we should have used a dom even not an API for push notifications 22:43:23 Diego: this will have to play a role; I'm familiar but haven't followed pepsi 22:43:29 s/pepsi/PEPC/G 22:43:32 ack m 22:43:45 Morgan_and_Matthieu: hi from @@ 22:43:54 ... I wanted to add a comment on x-or trust 22:44:00 ... there are two sides to the coin 22:44:18 ... spoofing and trust not yet given 22:44:31 ... there's value to develop credibility and trust for not-yet-known brands 22:44:36 ... with 3rd party repo 22:44:40 q+ 22:44:46 ... of course trust has to be developed in the first place 22:44:50 ... but the model makes sense 22:44:59 q- 22:45:09 ack unextro 22:45:29 Ondrej_Pokorny_(unextro): not affiliated 22:45:37 ... I had the same reaction as Nick 22:46:03 ... my question for x-or use-case what is the benefit for the users to imitate stores? 22:46:24 q+ Dan_Murphy 22:46:33 Ondrej: you end up waiting a long time 22:47:08 Diego: try before you buy is something we discussed 22:47:11 ... we could do 22:47:40 ... if there's a way to enable distribution of applications then that's a valid option 22:48:16 ... it would be insteresting to have a declarative way of installing 22:48:21 ... e.g. an html tag 22:48:35 ... I think the flow of the installation is pretty much up to the implementer 22:49:05 ... we're thinking of the use-cases if there a search engine, stores, links to PWAs 22:49:15 ... maybe an open office, an open slide 22:49:21 ... and an app gets installed 22:49:33 ... if there's enough support for that we'd be open to creating it 22:49:48 q- D 22:50:04 Zakim, agenda? 22:50:04 I see 5 items remaining on the agenda: 22:50:07 1. Pick a scribe [from tpac-breakout-bot] 22:50:07 2. Reminders: code of conduct, health policies, recorded session policy [from tpac-breakout-bot] 22:50:07 3. Goal of this session [from tpac-breakout-bot] 22:50:07 4. Discussion [from tpac-breakout-bot] 22:50:07 5. Next steps / where discussion continues [from tpac-breakout-bot] 22:50:22 Zakim, take up item 5 22:50:22 agendum 5 -- Next steps / where discussion continues -- taken up [from tpac-breakout-bot] 22:51:02 Diego: aka.ms/WebInstall 22:51:19 RRSagent, make minutes 22:51:21 I have made the request to generate https://www.w3.org/2024/03/12-installing-web-apps-breakout-2024-minutes.html koalie 22:52:36 i|Diego: at the moment |Topic: Presentation| 22:52:57 i|Diego: Thanks Amanda and Alex. |Topic: Discussion| 22:54:09 i|RRSagent, make minutes|... feel free to find us on GitHub following the link above| 22:54:12 RRSagent, make minutes 22:54:13 I have made the request to generate https://www.w3.org/2024/03/12-installing-web-apps-breakout-2024-minutes.html koalie 22:57:25 present: Diego_Gonzalez, Amamda_Baker, Alex_Kyereboah, Coralie_Mercier, Ding_Wei, Nick_Doty, Adam_Scott, Morgan-and-Mathhieu, Ondrej_Pokorny, Rick_Byers, Howard_Wolosky, Dan_Murphy 22:58:11 RRSagent, make minutes 22:58:12 I have made the request to generate https://www.w3.org/2024/03/12-installing-web-apps-breakout-2024-minutes.html koalie 23:02:28 s|Diego: aka.ms/WebInstall|Diego: for next steps, find info at https://aka.ms/webinstall| 23:03:20 s|(#888)|https://github.com/w3ctag/design-reviews/issues/888#issuecomment-1734131209| 23:03:32 s/Webiit/webkit/ 23:03:49 s/or installs apps/or install apps/ 23:04:22 s/object/objects/ 23:04:41 s/exsit/exist/ 23:05:19 s/Diego introduces/Diego Gonzalez introduces/ 23:06:30 s/====// 23:06:31 s/====//G 23:07:02 s/specification/specifically/ 23:07:34 s/US's/UA's/ 23:09:19 s/unvetted stores/unvetted stores?/ 23:09:42 s/webiste/website/G 23:10:23 s/gmail,/gmail/ 23:11:43 present+ Natasha_Gaitonde 23:12:36 s/dom even/DOM event/ 23:13:00 s/Mathhieu/Matthieu/ 23:13:58 s/e.g./e.g.,/G 23:14:08 s/html tag/HTML tag/ 23:14:30 RRSagent, make minutes 23:14:31 I have made the request to generate https://www.w3.org/2024/03/12-installing-web-apps-breakout-2024-minutes.html koalie 23:15:00 s/Amana:/Amanda:/ 23:15:15 RRSagent, make minutes 23:15:16 I have made the request to generate https://www.w3.org/2024/03/12-installing-web-apps-breakout-2024-minutes.html koalie 23:15:41 s/Amamda/Amanda/G 23:15:42 RRSagent, make minutes 23:15:44 I have made the request to generate https://www.w3.org/2024/03/12-installing-web-apps-breakout-2024-minutes.html koalie 23:23:29 RRSAgent, stay 23:23:44 Zakim, bye 23:23:44 leaving. As of this point the attendees have been Diego_Gonzalez, Amamda_Baker, Alex_Kyereboah, Coralie_Mercier, Ding_Wei, Nick_Doty, Adam_Scott, Morgan-and-Mathhieu, 23:23:44 Zakim has left #installing-web-apps-breakout-2024 23:23:47 ... Ondrej_Pokorny, Rick_Byers, Howard_Wolosky, Dan_Murphy, Natasha_Gaitonde