Headlights2014/W3C Workshop on Web Apps and Marketplaces

Name of idea

W3C Workshop on Web Apps and Marketplaces

Submitter name

Dave Raggett

Classification

This idea is:

• A trend in information technology that requires further standardization

One Hundred Word Description of the Idea

We want to organize a W3C workshop to identify a roadmap for further standardization for web applications. The general aim is to make the Web the compelling choice for application developers, based upon open standards for rich access to device capabilities, excellent performance, strong security and privacy, ease of app discovery and monetization, accessibility, and low development and maintenance costs for targeting a heterogeneous mix of device types.

The Workshop will build upon existing efforts, e.g. the System Applications and Web Apps Working Groups, and many other W3C Groups contributing to making the Web stronger for application development. The aim is to clarify opportunities for rechartering existing groups, for chartering new groups, and to create a shared vision for what we want to realize and the roadmap for getting there.

This Headlights exercise will focus on clarifying the scope and objectives for the workshop, with a view to holding the workshop in Q3 2014.

Benefit(s) to Web or W3C

• Focusing effort on where new standards are needed

• A stronger and more competitive Web, both online and offline

• Improving the user experience of Web applications compared to native apps

• Making it easier for users to discover and pay for services

• Reducing the barriers for developers wishing to deploy apps to a wide range of devices

Which of our stakeholders would be the most enthusiastic in supporting

• Device manufacturers
• Browser vendors
• App developers
• Online advertisers

Feedback/Questions on the idea

• Philipp: the original idea was to hold a "Web OS" workshop to potentially refocus our "closing the gap' efforts and coordinate and focus the work currently spread over several WGs Main reason to make this a headlights project was that there was no funding available for the workshop when the idea was brought up at a ubiweb meeting, so would suggest to earmark 20K Euros for hosting this workshop - which we may not need if we find enough sponsors.

See thread on SysApps List:

• http://lists.w3.org/Archives/Public/public-sysapps/2014Jan/0005.html

In summary:

Wonsuk Lee (Samsung) is in favour, and wants to hear more about the ideas for scoping the proposed workshop.

Marcos Caceres (Mozilla) suggests focusing on areas where the Web has fallen behind technically rather than stores, adding that changing the security model of the Web is tough. The experience of the DAP WG is a reminder of the need to stay nimble. He says that W3C needs to make it clearer that workshops are open meetings and not at all like academic workshops. The workshop needs a clear focus and tangible outcomes.

Anssi Kostiainen (Intel) says we must embrace the prevalent permission, security, and trust models of the Web and build upon them to get the benefits of the Web too. Good things like universal access, discoverability through search engines, and an ability to share and discover content through plain old URLs without the middleman, for example.

That said, Anssi says there’s an opportunity to make progress on some topics that could be in scope for the workshop:

• How to gradually build trust when a user is having a conversation with a web resource, mediated by the User Agent? In abstract this is pretty similar to how humans interact with each other when they build trust relationships. Trust builds over time. You do not give your keys to a stranger you just met, but you probably happily tell your first name, for example. How this relates to the Web? Perhaps a user who has bookmarked a site trusts it a bit more than a site that she has not bookmarked? Or if a user visits a particular site every day, she may trust the site more. Or if other people she relates to do the same (reputation system). This should work both ways, and a site may lose a user’s trust as well.

• We have a set of trust gestures built in to the platform such as bookmarking, uploading a file using the file picker, and drag and drop. I think it is important to ensure we understand and use these implicit permissions grants where appropriate instead of inventing new ones. The good old writeup by Robert O’Callahan at [1] is still relevant. Also the Mozilla’s position paper [2] from a 2008 workshop gives historical background from the time when the Geolocation API was the new thing.

[1] http://robert.ocallahan.org/2011/06/permissions-for-web-applications_30.html
[2] http://www.w3.org/2008/security-ws/papers/mozilla.html

To sum up, exposing more powerful APIs to the platform is not inherently bad. But if such APIs are only exposed to a subset of the Web (e.g. content distributed through often curated marketplaces), it is certainly not optimal considering the long-term health of the Web. We must ensure we evolve the Web as a whole, without boundaries.

Understanding, evolving, and building atop the permission, security and trust models *of the Web* is the crux. Having a workshop — assuming we do not revisit the problems we have tried to solve multiple times before without great success -- sounds like a good idea.

Charles McCathie Nevile (Yandex) says it is likely that there would be a lot of noisy pushback if the outcome is a new working group. He support's Marcos and Anssi in the need to focus on outcomes -- what can we usefully improve on and how do we ensure that we learn from the last decade (at least) of going round and round this circle? He is less worried about revisiting things -- that's how we learn.

Charles adds that he would be appalled to see W3C simply start up Yet Another Group For APIs without a very strong push to recognise what has gone before. (To cite history, when sysapps proposed an app: URI spec that was a simple copy/paste of the widget: URI spec without acknowledging that history I think it made a grave mistake on several levels).

There is obviously continuing interest in this area, so thinking about how to harness it towards developing standards, rather than the current mess of fragmentation, would be a useful thing to do if we can get support from those who are pushing forward the current different flavours of the same thing.

Anssi responds: Yes, I tried to say we should not revisit the same problems without new input to the process, IOW do the same thing over and over again and expect different results.

That said, I’m confident that with the right participants and scope we are able to make progress, especially if the same problems are shared with many products that are widely deployed.

To take an example, Dom’s analysis of permissions handling in modern browsers (see below) is new input, describes a concrete problem, which I believe browser vendors have acknowledged and have interest in solving. Also, that is a problem that I assume can be solved in a reasonable time, or at least the situation can be improved significantly.

Extract from Charles' email:

I would be appalled to see W3C simply start up Yet Another Group For APIs without a very strong push to recognise what has gone before. (To cite history, when sysapps proposed an app: URI spec that was a simple copy/paste of the widget: URI spec without acknowledging that history I think it made a grave mistake on several levels).

There is obviously continuing interest in this area, so thinking about how to harness it towards developing standards, rather than the current mess of fragmentation, would be a useful thing to do if we can get support from those who are pushing forward the current different flavours of the same thing.

Agreed. Good candidates for further standards work are often evolutionary improvements that solve real-world problems that exist on the platform today, without disconnect to the current technology stack.

Dominique Hazael-Massieux (W3C Staff) notes: Somewhat relevant to this thread, I published last week a review of existing permission requests across a set of Web APIs and features:

• http://lists.w3.org/Archives/Public/public-web-mobile/2014Jan/0001.html
• http://dontcallmedom.github.io/web-permissions-req/matrix.html

Since a lot of the tension between in-browser vs out-of-the-browser application discussions resolve around permission and trust management, this might be useful input to this discussion.

Also, I've recently added a number of references and quotes to [3] which would be good additional input.

[3] http://www.w3.org/wiki/Mobile/articles#API_Permissions

Anssi responds: Dom - this is a great overview on the subject of permission handling on the Web Platform. The concrete examples on the current state are especially telling. Thanks for kicking this off, informing the TAG.

Extract from Dom's email:

Since a lot of the tension between in-browser vs out-of-the-browser application discussions resolve around permission and trust management, this might be useful input to this discussion.

I feel the topics you mention should definitely be in scope for the planned workshop. These are real problems that now exists in shipping modern browsers and harm the user experience of in-browser applications that use new features and APIs that require user consent.

Extract from Dom's email:

Also, I've recently added a number of references and quotes to [3] which would be good additional input.

All - if you have good contacts in the academic world, doing HCI research, feel free to let them know we’re collecting relevant research papers on the topic to the above wiki.