14:01:31 RRSAgent has joined #webview 14:01:31 logging to https://www.w3.org/2022/07/26-webview-irc 14:01:34 Zakim has joined #webview 14:02:07 tidoust has joined #webview 14:02:13 rayan has joined #webview 14:02:16 muodov has joined #webview 14:02:24 bgalek has joined #webview 14:02:35 Present+ QingAn, Rayan, NiklasMerz, BartoszGalek, MaxTsoy, JohnRiviello, Francois, Dom, ThomasSteiner 14:02:42 JohnRiv has joined #webview 14:02:45 Chairs: QingAn, Rayan 14:03:01 niklas has joined #webview 14:03:05 aluhrs13_ has joined #webview 14:03:11 Agenda: https://www.w3.org/events/meetings/a329378b-e308-4930-8c45-c33691570d96 14:03:32 Topic: -> https://github.com/WebView-CG/usage-and-challenges/issues?q=is%3Aissue+is%3Aopen+label%3AAgenda%2B Review and discuss use cases 14:05:02 Qing: we're planning to publish a stable version of the use cases document for TPAC and take advantage of TPAC to share it more broadly 14:05:25 Qing: today we'll continue our discussions on the issues 14:05:44 Subtopic: -> https://github.com/WebView-CG/usage-and-challenges/issues/7 What is the "Origin" in a WebView, for locally hosted content? #7 14:05:44 https://github.com/WebView-CG/usage-and-challenges/issues/7 -> Issue 7 What is the "Origin" in a WebView, for locally hosted content? (lrosenthol) use case, agreed use case, Agenda+ 14:06:02 bgalek1 has joined #webview 14:06:23 Qing: I've created a pull request (#25) to add the use case to the doc 14:06:23 https://github.com/WebView-CG/usage-and-challenges/issues/25 -> Pull Request 25 Merge use case of issue 7 (QingAn) 14:06:55 Niklas: thanks for integrating my feedback in the PR 14:07:13 ... I come from the mobile perspective - there may remain input from e.g. the epub perspective 14:07:58 Qing: I've asked for further input on that; maybe we can merge this after one or two more weeks of feedback 14:08:20 Present+ AndyLuhrs 14:08:34 Andy: I can contribute the desktop perspective here if useful - coming from Microsoft 14:09:00 Qing: absolutely! additional comments / suggestions, and additional github issues would be welcome 14:09:29 Subtopic: #16 14:09:29 https://github.com/WebView-CG/usage-and-challenges/issues/16 -> Issue 16 Display and manipulate third party content while blocking third party scripting (bduga) use case, Agenda+ 14:09:54 Qing: Will have to skip since Brady isn't around 14:09:57 Subtopic: #19 14:09:58 https://github.com/WebView-CG/usage-and-challenges/issues/19 -> Issue 19 Define different types of webviews (NiklasMerz) use case, Agenda+ 14:10:16 Qing: this was brought up in our last meeting 14:10:58 Niklas: I summarized a list of webviews and their capabilities - this could provide a good start for discussions 14:12:22 ... this is also coming from the mobile perspective, could use some desktop perspective 14:12:36 andy: will be happy to add the desktop perspective 14:12:41 Max: +1 14:13:01 ... we at Duck Duck Go, we're working WebView2 and it definitely deserves its own section 14:13:20 ... there is also GeckoView - not sure if Mozilla is participating in this group, may be interesting to reach out to them 14:14:26 Qing: this will prove useful to categorize our use cases as input to WebViews vendors 14:15:11 ... having input from vertical use cases (e.g. ecommerce) on how these webviews apply to their scenarios 14:16:29 Subtopic: #20 14:16:29 https://github.com/WebView-CG/usage-and-challenges/issues/20 -> Issue 20 Inject custom JS scripts (muodov) use case, Agenda+ 14:17:39 Max: Rayan raised the question about injecting scripts play with the security model 14:18:08 ... there is an emerging agreement that injecting JS is important and many products rely on this 14:18:58 Qing: the main controversy is around 1st vs 3rd party content injection 14:19:31 ... Max, you provided examples of where injecting 3rd party scripts is useful 14:19:46 q+ 14:20:02 Max: I'm not sure we should talk about 3rd-party 14:20:11 ... the script is embedded by the app itself 14:21:09 ... the examples I give are based on real-life usage 14:24:08 ... there are platform-specific limitations: in webkit webview, injected scripts are isolated from the page script 14:24:09 QingAn has joined #webview 14:24:19 ... this exists in Chrome extensions, but not in Android WebView 14:24:27 q? 14:24:32 ... Another limitation is that sometimes you can't inject scripts in every context 14:24:47 ... e.g. 3rd party iframe nested inside the page, in Android WebView the native app can't inject scripts there 14:25:01 ... for us DDG, this is a big limitation to our injected privacy protections 14:25:08 ... whereas this is possible in WebView2 14:25:52 ... there is inconsistent features provided across platforms 14:25:58 ... which I think can be improved 14:28:33 dom: +1 on not describing these as 1st vs 3rd party - injected scripts are part of the UA in this example 14:28:53 ... we should identify if the different limitations across platforms are based on different policies (vs just bugs) 14:29:26 ... if they are different policies, it would be useful to document them, and possibly see if we can create directions for these policies to converge on 14:29:43 ... e.g. based on the type of use cases (e.g. any-content browser vs specific-content rendering) 14:31:06 Rayan: JS injection can't be available in all webview platform - e.g. customtab that integrate with the existing browser storage 14:31:38 ... in contexts that allow for it, it makes sense to offer this consistently across environments (e.g. service worker) 14:32:03 ... security concerns is a reason for limiting what can be injected 14:32:18 q? 14:32:22 ... which varies hugely across use cases 14:32:22 q- 14:32:45 ... definitely need to inject everywhere for a browser, but not quite so if you're only rendering 1st party content 14:33:11 Max: it would be useful to have an analysis of that perspective and what specific issues arise from this 14:33:39 ... also, is it a blocker to add this to our report? 14:33:50 Rayan: not a blocker - but that's a key issue for us to discuss 14:34:04 ... e.g. signing via a webview shares the credential with the host app 14:34:07 q+ 14:34:33 ... there are ways for apps to declare which origins they're tied to 14:34:56 q? 14:35:45 Andy: WebView2 has a drastic different attack surface than Android - once you can run an executable on Windows, injecting JS is the least of your worries 14:38:06 muodov_ has joined #webview 14:39:10 dom: +1 on tying use cases with specific security policies - e.g. if you ask "UA-type delegation" (with gives full script injection) you would likely get additional scrutiny in app store review on Android 14:39:29 Rayan: in any case, +1 on merging this as a valid use case 14:39:59 Qing: we'll label it as such 14:40:57 Subtopic: #23 14:40:58 https://github.com/WebView-CG/usage-and-challenges/issues/23 -> Issue 23 Control API permissions (muodov) use case, Agenda+ 14:41:29 Max: this was a follow up to another issue - the use case is that sometimes you want to control more granuarly what kind of permissions are granted to web content 14:41:55 ... for cases where a browser would prompt user content (e.g. geolocation, camera, screen capture) 14:42:06 ... this is limited across platforms, and inconsistent 14:42:45 ... ideally, we would like to see some way to control this - via events when something happens, or an API to read the current state (whether permission has been granted or not) 14:42:53 ... or program control on permission states 14:43:22 ... For our case (a browser), we would want to replicate what other browsers can do - with a UI to manage permissions, react to prompts, etc 14:44:49 Andy: e.g. the local font API is restricted in a browser context, but doesn't need these restrictions in a native app 14:45:38 ... overall, 3 issues in WebView2: we have to play catch up with the permission spec as it evolves 14:46:16 ... we had to go beyond "granted" / "deny", with "in use" or with screen sharing bringing additional complexity 14:46:44 QingAn has joined #webview 14:47:02 q? 14:47:12 ack dom 14:47:37 dom: so we would need a more unified model of these underlying considerations - they aren't unified today since they're not exposed directly to Web developers in a browser context 14:48:07 Andy: probably 14:48:26 Max: maybe WebView could adopt the same underlying model in permission spec 14:48:47 Andy: there is a permission registry emerging that lists the various axes of complexity 14:49:14 -> https://w3c.github.io/permissions-registry/ Permissions Registry 14:49:22 Qing: I'm hearing agreement this is a valid use case 14:49:27 Andy: +1 14:49:38 Dom: +1 14:49:50 Rayan: +1 - it also deals with the OS permission integration 14:50:52 Qing: Does that extend to hybrid apps, beyond in-app browser? 14:51:00 andy: I have hybrid app use cases 14:51:20 Subtopic: #24 14:51:20 https://github.com/WebView-CG/usage-and-challenges/issues/24 -> Issue 24 Manage web storage and cookies (muodov) use case, Agenda+ 14:51:42 Max: (I still have a few more issues to file) 14:51:52 Max: this one is about dealing with cookies & web storage 14:52:14 ... our browser has a lot to do with privacy protections for which cookies & web storage are essential 14:53:29 q? 14:54:28 Andy: accessing the value of cookies is debatedly worse than injecting JS - stealing cookies can enable impersonating 14:54:43 ... is this a similar threat to the one we discussed earlier with Android WebView? 14:54:55 Rayan: this is indeed doable with Android WebView at the moment 14:55:11 ... cookies aren't persisted at the moment, which is somewhat a mitigation 14:55:17 q? 14:55:26 ... this is another case of an API that should be tied to a specific set of use cases 14:57:06 Niklas: iOS can have a shared cookie storages across native http requests and webviews 14:58:03 Max: the DDG engineers liked a lot the cookie manager in WebView2 15:00:22 ... I can add more details, but not sure it's needed to determine whether this is a valid use case 15:00:30 ... the 3 points I've put in the document are probably the most significant bitgs 15:00:34 s/tg/t 15:00:54 ... Any specific details you would like to see added? 15:01:26 Qing: any input on whether to accept it as is? 15:01:42 Andy: I think the baseline use case is ability to clear cookies (e.g. to logout/wipe data) 15:02:38 ... another typical need is when auth is done in the native app and want to share a secret for future interactions through their webview 15:02:46 ... without sharing it with other webviews 15:04:24 Qing: we can try to define a more granular set of cookie management operations (clear, update/modify) 15:04:42 ... as a preliminary step before making a decision on the use case 15:04:55 max: I can take stab at our needs from a DDG perspective if that helps 15:05:22 RRSAgent, draft minutes 15:05:22 I have made the request to generate https://www.w3.org/2022/07/26-webview-minutes.html dom 15:05:23 RRSAgent, make log public 15:05:30 Topic: Next meeting 15:05:42 Qing: on Aug 9 at 7am UTC 15:06:24 ... if all goes well, we can have our stable report by end of August 15:06:32 RRSAgent, draft minutes 15:06:32 I have made the request to generate https://www.w3.org/2022/07/26-webview-minutes.html dom 15:07:46 Meeting: WebView CG 15:07:46 RRSAgent, draft minutes 15:07:46 I have made the request to generate https://www.w3.org/2022/07/26-webview-minutes.html dom 17:25:11 Zakim has left #webview