14:06:21 <RRSAgent> RRSAgent has joined #isolated-web-apps
14:06:21 <RRSAgent> logging to https://www.w3.org/2022/09/14-isolated-web-apps-irc
14:06:23 <Zakim> Zakim has joined #isolated-web-apps
14:11:06 <dom> Meeting: Isolated Web Apps  - TPAC 2022 breakout
14:11:08 <dom> Chair: Reilly_Grant, Penny_McLachlan
14:11:10 <dom> Agenda:  https://www.w3.org/events/meetings/66edb1cf-2e01-47f3-af05-bc9d69c43ef3#agenda
14:11:12 <dom> RRSAgent, make log public
14:11:16 <dom> RRSAgent, this meeting spans midnight
14:17:34 <dom> RRSAgent, stay
14:17:36 <dom> Zakim, stay
14:17:36 <Zakim> I don't understand 'stay', dom
15:14:58 <dom> dom has joined #isolated-web-apps
16:12:39 <dom> agenda+ breakout
17:17:37 <kkdsjfkdsjfklsd> kkdsjfkdsjfklsd has joined #isolated-web-apps
17:35:44 <rakuco> rakuco has joined #isolated-web-apps
18:15:49 <dom> dom has joined #isolated-web-apps
18:31:10 <reillyg> reillyg has joined #isolated-web-apps
20:15:05 <dom> dom has joined #isolated-web-apps
20:30:10 <dom> dom has joined #isolated-web-apps
20:54:41 <hyojin> hyojin has joined #isolated-web-apps
21:07:02 <dom__> dom__ has joined #isolated-web-apps
21:29:42 <cmfcmf> cmfcmf has joined #isolated-web-apps
21:45:18 <kuragin> kuragin has joined #isolated-web-apps
21:46:22 <kuragin_> kuragin_ has joined #isolated-web-apps
21:46:53 <kuragin`> kuragin` has joined #isolated-web-apps
21:47:30 <kuragin> kuragin has left #isolated-web-apps
21:52:59 <dom> dom has joined #isolated-web-apps
21:59:57 <bradeeoh> bradeeoh has joined #isolated-web-apps
22:01:50 <Penelope> Penelope has joined #isolated-web-apps
22:01:54 <ALuhrs> ALuhrs has joined #isolated-web-apps
22:01:58 <Penelope> 👋
22:02:35 <reillyg> RRSAgent, on
22:02:47 <reillyg> RRSAgent, please make logs public
22:03:06 <seukyoon-kang_> seukyoon-kang_ has joined #isolated-web-apps
22:03:06 <reillyg> Meeting: Breakout - Isolated Web Apps
22:03:12 <reillyg> scribe+
22:03:13 <reillyg> Meeting: Breakout - Isolated Web Apps
22:03:27 <reillyg> RRSAgent, please create the minutes
22:03:27 <RRSAgent> I have made the request to generate https://www.w3.org/2022/09/14-isolated-web-apps-minutes.html reillyg
22:03:40 <hakan> hakan has joined #isolated-web-apps
22:04:17 <cmp_> cmp_ has joined #isolated-web-apps
22:04:19 <reillyg> Presenting: https://goo.gle/tpac2022-isolated-web-apps
22:05:26 <clamy> clamy has joined #isolated-web-apps
22:05:57 <cmp> cmp has joined #isolated-web-apps
22:07:09 <rmcelrath> rmcelrath has joined #isolated-web-apps
22:08:55 <lyf_> lyf_ has joined #isolated-web-apps
22:11:08 <jwaterman> jwaterman has joined #isolated-web-apps
22:11:18 <lgombos___> lgombos___ has joined #isolated-web-apps
22:13:16 <lyf__> lyf__ has joined #isolated-web-apps
22:17:39 <Penelope> Can an isolated app iframe other sites?  Yes, but all iframes are x-origin (because Isolated Apps are on a private origin)
22:18:56 <Penelope>  x-site iframes can do a lot!  Would it be an option to reduce capabilities that iframes have?  Yes. The goal of ensuring these are x-site iframes is to reduce their capabilities, but we might want even stricter policies.
22:20:12 <Penelope> Another option is to put the iframe in Fenced Frames, has this been considered? A: understanding is fenced frames might be too isolated. The opt in requirement might be a problem here.
22:21:44 <Penelope> w/HTML Sandbox we could apply restrictions to them that are dangerous to the embedder. It might be possible that there are generally useful for the web policy restrictions that we might want to create to restrict iframe behavior.
22:23:35 <Penelope> General feedback: cool approach, fills in a gap where electron+PWA is needed, but cannot have certain capabilities in PWA. This has advantages for developers as they don't need to worry about keep an electron repo up to date, and for users and there is no need for a 3rd electron instance open there is a browser already there and open.  Also compatible with how devs build apps, as they probably already have a modular bundler.
22:25:24 <Penelope> Goal for Isolated Apps is that this should not be a radical departure from how a developer builds an app today, offline is handled by bundle rather than SW but SW would be useful for other things like notifications
22:27:42 <Penelope> LG has many applications running from packages so it is relevant for their use cases. Isolated Web Apps might require some platform adaptation, WebOS has it's own manifest and packaging methodology.
22:28:43 <bradeeoh2> bradeeoh2 has joined #isolated-web-apps
22:29:07 <Penelope> A number of platforms have their own ad hoc packaging systems, in current specs packaging is left undefined, part of what we hope to do is define if we were to package into a bundle what would serving rules look like. We want to ensure we're reusing spec wherever possible so for example this will use existing manifest spec (with a few additional fields such as supplying an update URL)
22:29:59 <Penelope> If today devs want to build an electron app or reactive native app, there's no standardization on how that works, it needs to be run in the native framework the developer chose. Whereas if this is implemented by multiple engines the user can choose the application in the browser of their choice
22:33:39 <Penelope> One common extension used by Electron app is the ability to use standard node packages/APIs that are outside the web platform API surface.  Don't think we want to standardize on how say, a node environment would work, but we could specify an interface for Isolated Apps to ocmmunicate with native companion code so if the user installed next to native platform code.
22:35:37 <Penelope> One of the progressive enhancements we are discussing including in Isolated App scope is a WebView
22:35:56 <Penelope> These are useful for specific use cases, so having a sandbox environments that could use a WebView might be helpful.
22:37:58 <Penelope> WebView use case examples would be, for example MS Teams, current Teams apps is an electron app, W11 has a WebView2 chat app in it, integration between WebView2 and native code components. PWA can be installed and works in teh web, native app uses web for UI, with native component in a separate process. Web + bolt_ons.
22:41:42 <Penelope> WebView tags are underspecified. WebView CG is discussing the general problems. This is not directly part of Isolated App proposal. However, it would be an environment for them to exist in. It could be a good environment for consensus building in WebView API shape.
22:42:17 <Penelope> Observation: in the beginning of hybrid apps, we saw a mimicking of web APIs and this was never standardized. It would be good to have this standardized.
22:47:59 <sarahheimlich> sarahheimlich has joined #isolated-web-apps
22:49:08 <clamy> clamy has joined #isolated-web-apps
22:49:16 <Penelope> There is this question about whether this is a path we want most developers to take? And the answer is no. There's an inherent tradeoff. And if anyone doesn't need what this provides: provenance & auditability, then we want developers to land their apps in the browser.
22:51:02 <Penelope> Chrome security recognizes there is a gap in the platform capabilities in app integrity and would like to land more capabilities to support this without requiring packaging
22:51:23 <Penelope> WhatsApp + CloudFlare collaboration : https://blog.cloudflare.com/cloudflare-verifies-code-whatsapp-web-serves-users/
22:51:45 <Penelope> This is an extension based integrity system that provides a similar guarantee, an attested list of resources and validated integrity
22:52:27 <Penelope> The model of looking at security as a progressively enhancing gradient is interesting.
22:53:29 <Penelope> We would be open to approaches that placed a smaller burden on developers if we can get the same security guarantees
22:54:57 <Penelope> Binary transparency is one way to mitigate server compromise circumstances, there are ways this could be handled.
22:55:30 <Penelope> There are a variety of code integrity rules that exist across different platforms today. iOS & Android use review processes, there is also code signing such as what is used on Windows & OS X.
22:58:21 <Penelope> How would we feel if an application wants to bypass the security protections of the isolated app. What if the app uses an iframe or some other way to bypass isolated app security mechanism.  A: we cannot mitigate risk of an app that is seeking to compromise it's own security policy. Workarounds exist, for example, could include a JavaScript interpreter and run strings it's fetched over the network.
22:58:23 <ortuno> ortuno has joined #isolated-web-apps
22:59:48 <Penelope> Penelope's twitter handle: @b1tr0t
23:00:28 <reillyg> RRSAgent, please create the minutes
23:00:28 <RRSAgent> I have made the request to generate https://www.w3.org/2022/09/14-isolated-web-apps-minutes.html reillyg
23:22:25 <dom> dom has joined #isolated-web-apps
08:21:24 <cmfcmf> cmfcmf has joined #isolated-web-apps
18:52:55 <Penelope> Penelope has joined #isolated-web-apps
19:14:46 <Penelope> Penelope has joined #isolated-web-apps
19:28:45 <Penelope_> Penelope_ has joined #isolated-web-apps
19:29:04 <Penelope_> RRSAgent, here
19:29:04 <RRSAgent> See https://www.w3.org/2022/09/14-isolated-web-apps-irc#T19-29-04
21:14:55 <dom> dom has joined #isolated-web-apps
22:01:44 <dom> RRSAgent, bye
22:01:44 <RRSAgent> I see no action items