06:51:23 <RRSAgent> RRSAgent has joined #webview
06:51:23 <RRSAgent> logging to https://www.w3.org/2022/06/08-webview-irc
06:51:25 <Zakim> Zakim has joined #webview
06:51:39 <ghurlbot> ghurlbot has joined #webview
06:52:07 <dom> ghurlbot, use WebView-CG/usage-and-challenges
06:52:07 <ghurlbot> dom, OK
06:52:25 <dom> Agenda: https://github.com/WebView-CG/usage-and-challenges/blob/main/meetings/4th-meeting-agenda-220608.md
06:52:43 <dom> Meeting: WebView CG
06:52:51 <dom> chair: QingAn, Rayan
07:01:58 <duga> duga has joined #webview
07:03:44 <dom> Present+ Dom, QingAn, Rayan, NiklasMerz, BradyDuga, JiashengWu
07:04:46 <dom> Topic: Review and discuss use cases
07:04:54 <dom> Subtopic: #12
07:04:55 <ghurlbot> https://github.com/WebView-CG/usage-and-challenges/issues/12 -> Issue 12 Sharing HTTP requests/responses between Native & Webview (JohnRiv) use case, Agenda+
07:05:45 <dom> QingAn: this use case is about sharing http requests & responses between native & webview
07:05:52 <dom> ... or use native as a proxy for the WebView
07:06:39 <dom> ... I've described the scenarios associated with this usage
07:07:05 <dom> ... 1st four are articulated around proxy with access control, firewall, ...
07:07:18 <dom> ... the last one is more directly related to sharing request/response
07:08:02 <QingAn> q?
07:08:35 <dom> Niklas: +1 to this use case - I've had to do this kind of native proxy to work around CORS issues
07:08:58 <dom> QingAn: +1 on this being a valid use case
07:09:16 <dom> ... is there agreement on adding this to the document?
07:09:24 <dom> ... any objection or further comment?
07:09:51 <dom> Rayan: using to bypass the CORS / security model for the Web shouldn't be something we push for
07:10:06 <dom> ... we should maintain the privacy / security pillars of the Web
07:10:29 <dom> QingAn: could you comment to that effect in the issue?
07:10:30 <dom> q+
07:12:05 <dom> ack me
07:12:47 <dom> dom: how would do e.g. a podcast app without overriding CORS?
07:13:08 <dom> rayan: I just want to make sure we discuss the situation rather than accepting CORS-override as a default
07:13:17 <dom> ... there are alternatives that are worth documenting at the very least
07:13:21 <dom> ... will bring it to the issue
07:13:28 <dom> Subtopic: #16
07:13:28 <ghurlbot> https://github.com/WebView-CG/usage-and-challenges/issues/16 -> Issue 16 Display and manipulate third party content while blocking third party scripting (bduga) use case, Agenda+
07:14:01 <dom> Brady: this comes up frequently in the digital publishing world
07:14:10 <dom> ... we have 3rd party content from publishers or from users
07:14:22 <dom> ... we want to display it in a WebView for rich display
07:14:33 <dom> ... but we don't want any script to run - we don't want to have to trust them
07:14:49 <dom> ... but we still want to manipulate the content (e.g. to change fonts, margins)
07:14:55 <dom> ... which typically would be done through script injection
07:15:12 <dom> ... you can't turn off JS to run yours, but you don't want to run the 3rd party JS
07:15:13 <dom> q+
07:15:41 <QingAn> q?
07:15:47 <dom> ack me
07:15:54 <dom> dom: wouldn't Content Security Policy enable this?
07:15:58 <dom> Brady: maybe, I don't know
07:16:17 <dom> ... our approach has been to remove as much as JS as we can, but that's never going to be perfect
07:16:29 <dom> dom: we should add Content-Security-Policy to the related W3C deliverables
07:17:14 <dom> brady: a solution that I like is exposing the DOM & CSS OM to native code so that I don't have to write JS - but probably lots harder to do
07:17:50 <dom> QingAn: I think Android and iOs have private interfaces to achieve this
07:19:14 <QingAn> q?
07:19:27 <dom> dom: another approach might be to hook Subresource Integrity to control tightly which scripts get executed
07:19:46 <dom> QingAn: a similar issue has been brought up in the context of mini apps
07:20:17 <dom> ... I'll ask some miniapps folks to chime in with their use cases in the issue
07:21:01 <dom> Rayan: supports this as a valid use case
07:21:08 <dom> ... +1 to Dom that CSP can support this
07:21:35 <dom> QingAn: is CSP supported in WebViews?
07:21:43 <dom> Rayan: it should be in Android at least
07:22:37 <dom> QingAn: Mini-Apps use OS WebViews and other customized views; some miniapps vendors do not support CSP through their webviews
07:22:48 <dom> Rayan: this also relates to Web Platform compat in WebViews
07:23:17 <dom> Subtopic: #17
07:23:18 <ghurlbot> https://github.com/WebView-CG/usage-and-challenges/issues/17 -> Issue 17 Render WebView Components and Native Components in same layer (QingAn) use case, Agenda+
07:24:17 <dom> QingAn: it's common for hybrid & mini apps to mix native and WebView component, e.g. many hybrid apps prefer to use their native video component for better performance
07:24:48 <dom> ... this means the rendering is done by the native app instead of the webview
07:25:01 <dom> ... this enables more features due to the native abilities
07:25:06 <dom> ... but it creates rendering issues for developers
07:25:20 <dom> ... e.g. z-index property can't be applied to the native component
07:26:58 <niklas> niklas has joined #webview
07:27:19 <niklas> present+ Niklas Merz
07:27:25 <dom> ... it would be good if the native component could be rendered in the same layer as the webview instead of a different layer
07:27:57 <dom> ... e.g. with the native component treated as a DOM node that could be better controlled by the developer for layout
07:28:11 <dom> ... there are private solutions that address this problem e.g. by mini-apps vendors
07:28:35 <dom> ... having a solution provided directly by default webviews would help
07:29:00 <QingAn> q?
07:29:01 <dom> ... this is a widely encountered issue in the miniapps world
07:29:37 <dom> Rayan: hybrid merging of layers feels more like an OS feature than a WebView feature
07:31:48 <dom> ... is the proposal to make the native component part of the DOM?
07:31:50 <dom> QingAn: yes
07:32:21 <dom> ... when we start looking at solutions, I can share how miniapps deal with this through private solutions
07:32:26 <dom> Rayan: that would be very interesting
07:32:31 <QingAn> ?
07:33:08 <QingAn> q?
07:33:43 <dom> Subtopic: #7
07:33:43 <ghurlbot> https://github.com/WebView-CG/usage-and-challenges/issues/7 -> Issue 7 What is the "Origin" in a WebView, for locally hosted content? (lrosenthol) Agenda+
07:34:39 <dom> Niklas: I've worked with Apache Cordova; Android and iOS have different approaches to using local content
07:34:53 <dom> ... it used to be that you would use file:///
07:35:10 <dom> ... but to help with dealing with cross-origin, they introduced two different approaches
07:35:23 <dom> ... iOS uses a custom:// scheme, where Android uses a custom domain name
07:35:29 <dom> ... having a unified approach would help
07:35:54 <dom> QingAn: are you suggesting a standardized URI scheme for this?
07:36:06 <dom> Niklas: yes
07:36:18 <dom> q+
07:37:14 <dom> QingAn: would locally hosted content considered secure? or are there security risks associated with it?
07:37:56 <dom> Niklas: in the context of Apache Cordova, you're in full control of the content that gets shipped through app store
07:38:02 <dom> ... from my experience, it should be safe
07:38:16 <dom> Rayan: +1 - it should be considered as first party
07:38:24 <dom> ... having the ability to standardize its origin would hlep
07:38:28 <dom> s/hlep
07:38:33 <dom> s/hlep/help
07:38:55 <dom> QingAn: +1
07:39:12 <dom> ... should we suggest a standardized scheme for locally hosted content in the solution space?
07:39:16 <dom> [room: yes]
07:39:18 <dom> q?
07:40:25 <dom> QingAn: should we merge this with #15?
07:40:26 <ghurlbot> https://github.com/WebView-CG/usage-and-challenges/issues/15 -> Issue 15 Third party cookies and cross origin ressource sharing in webviews (NiklasMerz) use case
07:41:02 <dom> Niklas: #15 is a derivative - we should probably focus on #7 for now
07:41:02 <ghurlbot> https://github.com/WebView-CG/usage-and-challenges/issues/7 -> Issue 7 What is the "Origin" in a WebView, for locally hosted content? (lrosenthol) Agenda+
07:41:19 <dom> QingAn: could you add use cases to #7 then Nikas?
07:41:22 <dom> s/kas/klas/
07:42:29 <dom> ack me
07:42:42 <dom> dom: having a well-defined origin will also help with using CSP for third-party filtering
07:45:05 <dom> Subtopic: #10
07:45:06 <ghurlbot> https://github.com/WebView-CG/usage-and-challenges/issues/10 -> Issue 10 UserScript injection in WebView (Token-LiMing) use case
07:46:00 <dom> Qing: we can close this issue
07:47:54 <dom> Topic: AOB
07:48:30 <dom> -> https://www.w3.org/community/wintercg Winter Community CG
07:48:49 <dom> Dom: the Winter CG (Web Interoperable Runtime) CG launched recently, with possibly some overlapping interests
07:49:02 <dom> Dom: also TPAC schedule has been announced, including our meeting slot for WebView CG
07:49:41 <dom> Present+ MaxTsoy
07:50:31 <dom> -> https://webview-cg.github.io/usage-and-challenges/ Draft of WebView: Usage Scenarios and Challenges
07:50:48 <dom> QingAn: currently only one use case, will add others we've agreed on
07:51:04 <dom> ... building up for something to share at the upcoming TPAC
07:52:41 <dom> RRSAgent, draft minutes
07:52:41 <RRSAgent> I have made the request to generate https://www.w3.org/2022/06/08-webview-minutes.html dom
07:52:44 <dom> RRSAgent, make log public
11:31:19 <Zakim> Zakim has left #webview
11:59:02 <dom> dom has left #webview