Meeting minutes
Installing web apps as a new platform feature
[Diego Gonzalez introduces the session, reminds of code of conduct, antitrust policy]
Diego: I'd like to record this session
… just the presentation. any objection?
[none]
Diego: hold questions till the end, please
Goal of this session
Diego: we want to present a solution
… discuss it
… implementers, developers might be on this session
… and get as much feedback as we can on the future API
Presentation
Diego: at the moment we have advanced APIs that enable desktop ux on web apps
… and we have certain apps that can be distributed through stores
… we're thinking about installing those
… Web apps are not new
… they've existed for a while
… the web platform at the moment is unable to install content on its own
… we have limited distribution of web apps, content subject to the rules of app catalog
… we want to democratize app distribution
… before we dive into the API and installation, I want to dive into what it means to install
… think about how this would be integrated with the OS
… there's also the option to get an icon on the home screen of the device
… the concept is what you get on firefox and androi devices
Diego: Install criteria
… for something to be installable the API must support PWA on Chromium and all the web content on webkit
… install can mean different things
… the solution https://
… is where you'll find the explainer
… the idea is that basically we're allowing the platform same- cross- origincontent
… or it can be a more elegant solution
… there's an ongoing TAG review w3ctag/
… we've filed for positiion statements from webkit and gecko
… the more common use-case: creation of online app catalogs
… or install apps from the search engine results page
… both improve discoverability
… this is a promise-based method
… it resolves if an app is installed and rejects errors
… the parameters are manifest_id, install_url and optional objects
… the former is what to install, the latter is where to find it
… we'll talk more about this
… just know that if these do not exist or aren't supported, they have fallback
… so that it works on as many platforms
[Amanda Baker takes over]
Amanda: the goals are to enable installation of web apps
… [diagram of the flow; hand-drawn]
… the app can request installation
… not much is downloaded yet
… it passes params
… for the same-orig. case, there's a way to use same params
… e.g., current document that is used as manifest and URL
… for a cross-origin install the goals are the same: install. enable, suppress spamming, track acquisition
… [hand-drawn diagram on screen]
… user gives perm to the site for install, prompted to install
… you get your locally installed app
… the cross-origin is the same as before but both files need to be present
Amanda: make it safe
… permissions are not auto-granted to install apps
… we respect same origin security model
… confirmation by user
… user activation does gating throughout the installation
… for x-installation specifically the insulation source has to request a permission
… to prevent sites from spamming
… if the user doesn't accept, the user won't be prompted to install
… avoiding installation that isn't wanted
Amanda: install_sources
… this protects the app
… it allows the target to gate which app stores
… by default, installation from all sources is disabled
… the app can allow certain stores
Amanda: UA's install confirmation prompt
… confirmation is needed, the UA needs a confirmation prompt
[Alex Kyereboah takes over]
Alex: the acquisition provider
… capability to track is limited to the provider
… the provider has a property
… returns information
… attribution id is used to track which marketing campaign was used for the installation
Alex: the current proposal
… referral info
[Diego takes over]
Discussion
Diego: Thanks Amanda and Alex. Open discussion
Diego: we have 20 minutes in front of us
… we gave you an overview of the web install API
… if you have questions, concerns, feedback, please
<Zakim> adamscott, you wanted to talk about the security model and cross-origin isolation
Adam_Scott: great presentation
… what about the security model and cross-orig. security-wise between this and PWA?
… is this metadata?
… I work for the godot game engine
… x-org. protection allows us to @@
… that helps us to isolate
… if a website can install small games, accept to more feature requires security
Diego: in the case of the Chromium implementation of web apps there isn't isolation
… in that sense it wouldn't change what you can do already: installing a PWA from the browser
… a permission would be set and taken to the origin's permission site
… the model that exists for PWA isn't changed
… we want to provide a way for developers to install web content
… that is deemed installable on any engine
Diego: there are presentations that you can look at. the core here is getting content from the web installed on a device as a link or somethine else
Nick_Doty: Center for Democracy Technology
… concern about the cross-origin
… what's the benefit for the user regarding unvetted stores?
… seems like it opens up surface for phishing attacks
… clicking names that people recognise is risky, may undermine the security model we have on the web
Diego: It's a valid concern
… it's one of the reasons why we not only leave the responsibility to the website but also to try to allow the PWA to say "I want to be installed by xyz"
… some devrel and ecosystem training, talking to developers may be needed
… as we work with stores
… we thought a lot about this
… if you have ideas we should take into account we value your input
Amanda: one place where we provide more information is the install prompt
… we don't provide info on the origin
… I haven't checked many other platforms and browsers
… Diego called out sources as protection but that would not address the phishing that Nick mention
… e.g.,, taking the user to gmail
Diego: flashing for a couple a seconds and disappear
… @@ available for the application menu
… if there's more we could be doing, let us know
Rick_Byers: Google Chrome
<Howard_Wolosky> Amendment: Both Chrome and Edge show the origin attempted to be installed in the installation prompt.
Rick_Byers: in the x-or case, you said something about the known permission model
… it's a significant mitigation
… I'm worried about push notifications
… google screwed up those
… still being explored but permission elements (PEPC)
… we've concluded that
<rbyers> https://
Rick: if PEPC succeeds it feels like it would apply here
… we should have used a DOM event not an API for push notifications
Diego: this will have to play a role; I'm familiar but haven't followed PEPC
Morgan_and_Matthieu: hi from @@
… I wanted to add a comment on x-or trust
… there are two sides to the coin
… spoofing and trust not yet given
… there's value to develop credibility and trust for not-yet-known brands
… with 3rd party repo
… of course trust has to be developed in the first place
… but the model makes sense
Ondrej_Pokorny_(unextro): not affiliated
… I had the same reaction as Nick
… my question for x-or use-case what is the benefit for the users to imitate stores?
Ondrej: you end up waiting a long time
Diego: try before you buy is something we discussed
… we could do
… if there's a way to enable distribution of applications then that's a valid option
… it would be insteresting to have a declarative way of installing
… e.g., an HTML tag
… I think the flow of the installation is pretty much up to the implementer
… we're thinking of the use-cases if there a search engine, stores, links to PWAs
… maybe an open office, an open slide
… and an app gets installed
… if there's enough support for that we'd be open to creating it
Next steps / where discussion continues
Diego: for next steps, find info at https://
… feel free to find us on GitHub following the link above