15:25:30 RRSAgent has joined #webview 15:25:31 logging to https://www.w3.org/2022/09/16-webview-irc 15:25:32 Zakim has joined #webview 15:25:42 Meeting: WebView CG @TPAC 15:25:42 https://github.com/TPAC -> @TPAC 15:25:58 Chair: rayan, qing_an 15:26:24 Present+ Max_Tsoy 15:26:36 Present+ Rayan, PeterC, Dom 15:26:43 RRSAgent, make log public 15:27:12 Agenda: https://github.com/WebView-CG/usage-and-challenges/issues/35 15:27:46 Present+ QingAn 15:29:44 QingAn has joined #webview 15:30:59 Present+ Xiaoqian 15:31:08 duga has joined #webview 15:31:42 duga has joined #webview 15:31:43 Present+ Tatsuya 15:31:56 scribe+ 15:32:08 shiestyle has joined #webview 15:32:41 Present Heejin, Brady 15:32:56 present+ 15:32:58 Present+ WanmingLin 15:33:33 Present+ 15:33:36 rayan: [reviewing agenda] 15:34:05 Rayan: I work for Google, co-chair of the group 15:34:28 AndrewC: Meta 15:34:34 SamW: Meta as well 15:34:42 Present+ AndrewCumming, SamWeiss 15:35:15 QingAn: from Alibaba, co-chair with Rayan 15:35:20 Present+ AndyLhurs 15:35:31 Max: work for DuckDuckGo 15:35:41 present+ 15:35:53 Xiaoqian: from W3C, interesting intersection with WebApps WG 15:35:58 Wanming: work for Intel 15:36:08 Andy: work for MS on WebView2 15:36:31 xiaoqian has joined #webview 15:36:43 PEConn has joined #webview 15:36:44 i/rayan: [/Topic: Introduction 15:36:45 igarashi has joined #webview 15:36:48 hjrchung has joined #webview 15:36:53 acomminos has joined #webview 15:37:01 present+ Tatsuya_Igarashi 15:37:01 https://webview-cg.github.io/usage-and-challenges/ 15:37:13 present+ 15:37:14 present+ 15:37:38 Rayan: the goal of our group is identify and reduce issues arising from the use of webviews across platforms and devices 15:37:38 present+ wanming_lin 15:37:58 ... the first phrase of the CG was exploratory - outreach to users and implementors of webviews to understand what usages are outthere 15:38:03 ... and what issues arising from them 15:38:23 ... we received submissions from the community and we agreed on a bunch of them 15:38:30 Topic: Introduction on CG report "WebView: Usage Scenarios and Challenges" 15:38:44 -> https://webview-cg.github.io/usage-and-challenges/ CG report "WebView: Usage Scenarios and Challenges" 15:38:54 Rayan: [reviewing document] 15:39:11 ... one theme of issues is around performance given the additional cost of loading the rendering engine 15:40:13 ... Improvements to these issues can be either through improvement to the Web platform features, or improvement to the webview ecosystem itself 15:40:38 Qing: adding support for existing browser features to the webviews would already help 15:41:50 Rayan: the inconsistencies in WebViews is a recurrent theme 15:42:24 Rayan: our second use case is about sharing requests and responses among webviews and the native side 15:43:05 ... the different webview implementations are inconsistent on this; clearly another perf request 15:43:45 Andrew: there are situations where the native app has a lot more context than the browser context, solving this would be really useful 15:44:03 Rayan: the submitter of this for instance had AI used to predict future requests they woudl find useful to share with the WebView 15:44:31 Rayan: the next use case is mixing webview & native components into a single layer 15:44:52 ... e.g. allowing a native video player embedded in a webview 15:45:14 ... this has been prototyped 15:45:51 QingAn: in China, mini-apps have a high need for mixing native comopnents & webview components 15:46:18 ..; currently they are many functionalities provided by the native side, but also using many web-provided components 15:46:42 ... having a universal way to display the different components without overlap would help 15:47:44 ... this is becoming more and more common, esp in the China market 15:48:12 ... some vendors in China are trying to design proprietary solutions, both in iOS and Android 15:48:28 ... but this is bringing different solutions across miniapp vendors 15:49:48 ... this may be done either from the web side or from the webview side - that will be worth exploring 15:50:23 Brady: we have done this on Android and it wasn't pleasant - e.g. with text being obscured by audio controls 15:50:53 samweiss has joined #webview 15:50:58 ... it certainly is a problem that exists 15:51:15 QingAn: in the next steps, we can share more details about how we approached this issue 15:51:47 Subtopic: Inject custom JS 15:52:07 i/Rayan: [reviewing document]/Subtopic: loading a web page 15:52:32 i/Rayan: our second/Subtopic: Sharing requests and responses 15:53:00 i/Rayan: the next use/Subtopic: Integrating webview & native components in a single layer 15:53:31 Rayan: by default, injnection is only possible at the top-level frame and with inconsistent behaviors across webviews 15:53:48 Max: all the desired features are available in one implementation or another, but no implementation has them all 15:53:53 ... with all very different APIs 15:54:37 ... there are also security & privacy concerns around this, but it solves a lot of problems that would otherwise require specialized APIs 15:55:01 ... improving interoperability between platforms by discussing a common model 15:55:39 Rayan: re security & privacy - this is a challenge common to many other APIs that modify Web content being rendered 15:55:54 SUbtopic: Control API permissions 15:56:33 Rayan: this provides a way to limit what 3rd party content can request access to, e.g. prevening a new article to request geolocation 15:57:08 Max: this can probably be split into different discussions 15:57:29 ... in general, when a native app is using a Webview, there is a blurred line on the security boundaries and security model 15:57:37 ... native has its own model to manage permissions 15:57:45 ... and so does WebView, including the Permissions API 15:58:34 ... in the case of our DuckDUckGo browser, we would like to have full control so that our app gets all the OS permissions and we then can manage permissions per web site 15:59:20 ... permissions end up being managed very differently across the Web platform 15:59:46 Andy: from the webview2 perspective, the biggest usage is to "force allow" 16:00:16 ... e.G. local font access requiring a permission prompt is awkward 16:00:17 q+ 16:00:27 joonhyung has joined #webview 16:00:57 joonhyung has left #webview 16:02:33 dom: permissions model is a key point of integration between native and web 16:02:56 ... we will have to distingusih the common model and what is allowed to be controled in what context 16:03:08 PeterC: it may be that auto-grant could be limited to domains that you control 16:03:20 Subtopic: Manage Web storage and cookies 16:03:55 Rayan: this is distinct from injection as you may need to inject cookies ahead of loading the Web page 16:04:25 ... this again raises security challenges 16:04:46 ... a question is the impact of third-party cookie removal on this issue 16:05:02 Max: it's related, but we also need to ability to selectively *not* clear cookies 16:05:15 ... the privacy protections in our DDG browser are context-relative 16:05:31 ... e.g. we would reduce the lifetime of a cookie both in 1st and 3rd party contexts 16:05:55 ... we need more granular control 16:07:03 Dom: but deprecation of 3rd party cookies may reduce the scope of the privacy/security issue 16:07:22 Max: this type of more powerful features is really dependent on the type of app we're talking 16:07:48 ... we build a full-featured browser, which should probably operate under different rules than others e.G. in app browser 16:08:04 Andy: we might want to frontload the types of webviews in our document 16:08:18 ... since it impact use cases 16:08:43 rayan: good point 16:09:20 ... I'll take an action to improve the doc structure in that direction 16:09:40 Subtopic: Origin in a WebView for locally hosted content 16:09:52 rayan: extremely common use case to load local content in a WebView 16:10:08 ... but these are handled very differently across webview ecosystem with impact e.G. on CORS 16:10:27 ... this feels like a low-hanging fruit for the CG to provide a standardized approach 16:10:45 ... given how relevant it is and it should be relatively simple to spin up an explainer towards alignment 16:11:08 Subtopic: Different type of WebViews 16:11:28 Rayan: that was is more of an overview of the different webviews being available - still missing geckoview 16:12:02 ... with information on the platform, the features it has, its limitations on how it can be used, and its UX flexibility 16:12:18 ... we've classified those in 2 categories: full-fleged webview, and browser-like webviews 16:12:40 ... the former used for full integration with native, when the latter is mostly around showing up a Web page via the browser 16:12:52 ... most of our discussions have focused on the former 16:13:14 -> https://www.w3.org/2022/09/14-webview-cg-minutes.html WebView Breakout minutes 16:13:45 -> https://drive.google.com/file/d/19-3Q54IZEKpjb_dXgNSeT_xyjSSnVute/view?usp=sharing Slides of the WebView breakout, including an overview of the webview ecosystems 16:14:48 Andy: even if the browser webview isn't in scope, having these in mind is helpful to help differentiate the similar but slightly different use cases 16:14:54 rayan: +1 16:15:04 +1 16:15:59 Rayan: this doc has emerged from discussions in our CG which happens on biweekly basis 16:16:39 Andrew: is this limited to system-level webviews, or would this also include things like geckoview? 16:16:53 Rayan: we would like more info on geckoview, they're in scope 16:17:08 Dom: are there systematic difference between the two levels? 16:17:20 Andrew: they operate under different constraint 16:19:00 ... system webviews get provided by default by the platforms 16:20:39 muodov has joined #webview 16:36:22 PEConn has joined #webview 16:37:35 Topic: -> https://github.com/WebView-CG/usage-and-challenges/issues Open github issues 16:37:36 Subtopic: -> https://github.com/WebView-CG/usage-and-challenges/issues/16 Display and manipulate third party content while blocking third party scripting #16 16:37:36 Brady: epub is essentially a Web site in a zip file 16:37:36 https://github.com/WebView-CG/usage-and-challenges/issues/16 -> Issue 16 Display and manipulate third party content while blocking third party scripting (bduga) use case 16:37:48 Brady: we cannot disable JS in the 3rd party content we load 16:38:01 ... we disable network and put as many restrictions as we can 16:38:08 ... but can't fully prevent it from running 16:38:13 shiestyle has joined #webview 16:38:37 ... we would like to be able to say "this is HTML content, do not run any JS from that content, only run my JS" 16:39:11 ... there are webplatform solutions to this, but given how the content is added to the webview, it's really hard to distinguish my safe content from the content of the 3rd party 16:39:35 ... we have to manipulate the content extensively, which at the moment can only be done in JS 16:39:55 Rayan: have you looked into CSP? 16:40:24 Brady: I think this couldn't be within the current framework 16:41:35 dom: ideally we would provide a hook so that the content can then be handled through regular Web platform features 16:41:55 Rayan: sounds like a good topic to discuss with other webview vendors to reduce idiosyncracies across platform 16:42:08 Brady: APple has an ebook reader with similar issues iirc 16:42:37 Max: there was also another W3C group working on epub, focused on the package itself 16:42:52 Brady: right - the epub WG is platform agnostic, you would not have to use a WebView 16:43:20 Max: can you elaborate on the kind of scripts you want to be able to inject? 16:43:44 ... in the existing JS injection use case there is a discussion about "isolated" world which may be relevant 16:43:50 Brady: it may well apply 16:44:31 ... the scripts may for instance break the content into multiple pages 16:44:40 ... change the size of the font (trickier than it seems) 16:44:47 ... modify the default font 16:45:03 ... change background/foreground colors 16:45:39 ... caching some of the data (e.g. for pagination) 16:45:57 ... media overlays - highlighting what is being read aloud 16:46:23 Max: lots of DOM manipulation then? if so, that seems related to the isolated world use case 16:46:42 Andrew: there seems to be lots of relation with webextensions 16:47:42 Max: the WebExtensions CG has this API to evaluate JS either in the context of the page or in an isolated world 16:47:48 ... not impacted by CSP 16:49:12 dom: +1 in general to try & align with webextensions where possible, helps with convergence & interop 16:49:29 Subtopic: -> https://github.com/WebView-CG/usage-and-challenges/issues/36 Challenge: Apps can use WebViews to bypass web security standards, privacy standards, and user choice. #36 16:49:29 https://github.com/WebView-CG/usage-and-challenges/issues/36 -> Issue 36 Challenge: Apps can use WebViews to bypass web security standards, privacy standards, and user choice. (aluhrs13) use case, Agenda+ 16:49:50 Andy: overall concept is a challenge facing users more than developers 16:50:16 ... how can they determine users understand what they're facing when using a webviews 16:50:32 Rayan: iframe are conceptually similar to webviews - embedded in a native app 16:50:48 ... we have security models for iframe, it would make sense to have a security model for webview embeds 16:51:06 ... they may benefit from similar considerations around 1st party/3rd party when it comes to powerful features 16:51:29 ... these may come in conflict with the browser use case that we need to keep in mind 16:51:53 ... there is also discussion of the X-Frame-Options header - that seems like a separate issue 16:51:59 q+ 16:52:33 Andy: I was listing this as a general indication of what has been in this space, not suggesting adopting it as is 16:52:37 ... the concerns are very similar 16:53:06 ... users won't know that there is an iframe that can be read by the wrapping app 16:53:21 ... Webkit has app-bound domains which is an interesting approach in this space 16:53:45 ... Alex Russel described a proposal to clarify policies from browser usage 16:53:57 ack dom 16:53:59 ack acomminos 16:54:02 q+ 16:54:24 Andrew: pushing back on the iframe similarities - in that situation, the Web is both the embedder and the embeddee in that situation 16:54:42 ... X-Frame-Options doesn't really apply 16:54:52 ... we wouldn't want to disable specific browsers 16:55:20 ack PEConn 16:55:49 PEConn: Andy mentioned app-bound domains in iOS, Android has something similar 16:56:04 ... is this something that should be standardized? 16:56:24 rayan: there has been attempts in that space, e.g. first-party-sets 16:56:52 q- 16:56:52 ... or the Web Apps "related apps" manifest hook 16:57:04 q+ 16:57:41 ... one of the issue is with app-bound domains is that it needs stronger provable relationship 16:58:07 q+ 16:58:43 q+ 16:59:08 ack dom 16:59:55 dom: there is a number of places where we should focus first on model before focusing on an interoperable technical surfacing of that model 16:59:57 rayan: +1 17:00:29 Andy: part of my position has been that we need awareness of the challenge, but it may not need to have a solution in this CG 17:01:08 Rayan: this is a challenge that intersects with a lot of the other issues we have 17:01:20 ... it feels pretty critical to unblock some of the security & privacy discussions 17:01:48 Max: I don't think we're going to solve this issue right now 17:01:55 ... there are multiple parts to this 17:02:17 ... re x-frame-options - I'm not a fan of that, even in the Web world, it proves to be insufficient 17:02:29 ack muodov 17:02:42 ... there are better and more flexible options in the Web world 17:03:16 ... about app-bound domains, the problem that an app developer can choose "random" origins - it's similar to WebExtensions 17:04:00 ... this issue has at least 3 parts: 17:04:14 ... * a web site owner not wanting to be presented in a webview 17:04:41 ... * giving the choice to the user of where the content be rendered 17:04:46 ack acomminos 17:04:53 Andrew: +1 to Max 17:05:46 ... wouldn't want to include this use case in our scope, it would prevent web-view based browsers 17:06:01 acomminos: +1 on breaking up the issue 17:07:12 ... app-bound domains is a huge limitation for a full-fledge browser 17:07:35 dom: I think the idea is that app-bound domains is that they would be useful, but not for the "browser" use case 17:07:52 rayan: I think we all agree that app-bound domains wouldn't work for browsers 17:09:14 ... I like the model of WebExtensions, with a carveout where 17:09:33 dom: what's our next step for #36? will be split it up? 17:09:33 https://github.com/WebView-CG/usage-and-challenges/issues/36 -> Issue 36 Challenge: Apps can use WebViews to bypass web security standards, privacy standards, and user choice. (aluhrs13) use case, Agenda+ 17:09:56 Max: I'm happy to work on splitting it up 17:10:05 dom: what about #16? 17:10:05 https://github.com/WebView-CG/usage-and-challenges/issues/16 -> Issue 16 Display and manipulate third party content while blocking third party scripting (bduga) use case 17:10:35 Brady: I'll check if this the isolated world is a workable solution 17:11:09 Topic: Discussion of next steps for the CG 17:11:28 s/Topic: Discussion of next steps for the CG// 17:11:38 Subtopic: type of usages 17:11:57 Andy: it would be interesting to make progress on the different type of usages à la miniapps, epub, in-app browser 17:12:11 ... as discussed in #34 17:12:12 https://github.com/WebView-CG/usage-and-challenges/issues/34 -> Issue 34 Clarification around Web Bundles, WebViews, and MiniApps? (aluhrs13) 17:12:24 ... a Venn diagram of how they relate one withanother 17:12:36 Present+ ChasePhilips 17:12:44 Chase: I'm working on webviews for isolated web apps 17:13:50 Qing: I haven't had the time to work on the mini-apps intro yet 17:14:01 shiestyle has joined #webview 17:14:02 ... miniapps use webviews simply for rendering purposes 17:15:02 ... the logic is similar to serviceworker to manage multiple webview pages 17:15:38 ... the question about origin has also been discussed in the miniapps wg, with input from the TAG 17:16:14 ... there is agreement that miniapps should follow the web security model, and we're trying to figure out related issues 17:17:02 Rayan: I'll ping the relevant people to make progress on this issue 17:17:14 ... and restructure our doc to surface these questions 17:17:31 Topic: Discussion of next steps for the CG 17:17:49 Rayan: the CG has been in the exploratory phase 17:18:01 ... is now a good time to dive into solution space? 17:18:27 ... interested in opinions from WebView vendors - would this be interesting to get input from this CG? 17:18:34 Peter: would be happy to review things 17:19:04 Andy: 100% happy to give feedback; would be happy to consider prioritizing standardized solutions in this space 17:19:37 Rayan: so it would be useful to start iterating on solutions and reach out to other webview vendors 17:19:51 QingAn: +1 17:20:22 ... our CG should still welcome more use cases and keep updating the CG report 17:20:30 q+ 17:21:01 ... as we iterate on solutions, we should think about the potential standardization opportunities in W3C 17:21:11 ack me 17:23:33 dom: in terms of outreach, sharing our report with W3C WG chairs and relevant CGs (e.g. webextensions) would be useful 17:24:02 ... keeping track of issues we identify in existing tech and deriving "best practices" to share with groups would be god 17:24:17 Rayan: QingAn and I will meet to organize our work to start solution space 17:25:17 QingAn: this should include update our charter to reflect this expanded scope 17:25:19 dom: +1 17:25:20 ack me 17:25:50 RRSAgent, draft minutes 17:25:50 I have made the request to generate https://www.w3.org/2022/09/16-webview-minutes.html dom 17:27:02 duga has joined #webview 17:35:02 shiestyle has left #webview 17:35:59 duga has joined #webview 17:42:37 duga has joined #webview 19:08:27 duga has joined #webview 19:28:22 Zakim has left #webview 20:36:02 duga has joined #webview 20:57:09 dom has joined #webview 21:00:16 duga has joined #webview