07:51:04 <RRSAgent> RRSAgent has joined #webview
07:51:08 <RRSAgent> logging to https://www.w3.org/2023/03/22-webview-irc
08:02:36 <dom> Present+ Rayan, QingAn, NiklasMerz, Dom
08:03:54 <dom> -> https://github.com/WebView-CG/explainers/issues/3  Controlled Frame explainer FYI and review #3
08:05:04 <dom> Topic: -> https://github.com/NiklasMerz/explainer-webview-local-content Locally hosted content #2
08:05:46 <dom> Niklas: this is a proposal to find a common denominator across webviews to expose local content to WebViews - based on what's in iOS and Android
08:06:15 <dom> ... right now, the different implementations have different limitations, different choices (e.g. origins)
08:06:21 <dom> ... having a single API would benefit developers
08:07:28 <dom> Rayan: seen feedback; most of it around origins
08:07:53 <dom> -> https://github.com/NiklasMerz/explainer-webview-local-content/discussions/4 Discussions around the explainer
08:08:26 <dom> Rayan: how would the app affect the origin? would app Foo be a different origin from app Bar?
08:08:44 <dom> ... myapp://foo vs mapp://bar
08:08:57 <dom> Niklas: they would be different origins
08:09:15 <dom> Rayan: Android today treat these as different origins
08:09:32 <dom> Niklas: OK, so it's worth clarifying in the explainer
08:09:43 <dom> Rayan: there is also ongoing work to standardize custom schemes
08:09:59 <dom> -> https://groups.google.com/a/chromium.org/g/blink-dev/c/wYuPrIQzDTA Intent to Ship: Support URLs with non-special schemes
08:10:14 <dom> Rayan: there seems to be alignment with GeckoView and Webkit behind this proposal
08:10:57 <dom> Rayan: assuming there is convergence, does that affect your preference on option 1 vs option 2?
08:11:23 <dom> Niklas: not really; with HTTPS, you can use CSP / CORS and get more Web foo
08:11:51 <dom> Rayan: a lot of the considerations also need to take into account how Web site to work; at the moment with custom schemes, CSP / CORS will break
08:11:58 <dom> ... that's an important consideration for this API
08:12:34 <dom> ... my hesitation with HTTPS, it doesn't feel right to use it to serve your own content
08:12:37 <dom> q+
08:17:32 <dom> dom: I wonder if we could use a magic HTTPS origin  à la localhost
08:19:59 <dom> Rayan: what happens if you have a custom scheme and want to load resources? do you rely on the interception API?
08:20:22 <dom> Niklas: in iOS, any request on that custom scheme gets intercepted (usually a simple mapping to the filesystem)
08:21:18 <dom> Rayan: any impact on performance / latency?
08:21:29 <dom> Niklas: this hasn't been an issue in the apps I've worked on
08:21:38 <dom> Present+ tomayac7
08:23:44 <dom> Dom: where would we go next after we converge on these discussions?
08:24:01 <dom> Rayan: there is interest on Android WebView once there is more clarity on https vs custom schemes
08:27:08 <dom> ... Andy from the Windows webview is also participating in the discussions
08:28:17 <dom> Niklas: I'll ping my contacts on WebKit webviews
08:28:48 <dom> Topic: -> https://github.com/WebView-CG/explainers/issues/3  Controlled Frame explainer FYI and review
08:28:57 <dom> Rayan: this is a WebView for the Web
08:29:07 <dom> ... different fenced iframe, only available for isolated web apps
08:29:34 <dom> ... it comes with guarantees - it runs outside of the context of the embedding web app, works as if it was a top level context
08:29:58 <dom> ... there is exploration to provide WebView-like APIs to control web content
08:30:03 <dom> ... hence the intersection with our CG
08:30:16 <dom> -> https://github.com/chasephillips/controlled-frame/blob/main/EXPLAINER.md Controlled Frame explainer
08:30:24 <dom> Rayan: they're seeking feedback on the explainer from the CG
08:30:36 <dom> Qing: this is only for isolated web apps - not for hybrid apps?
08:30:49 <dom> Rayan: correct - it wouldn't work on any web site
08:31:07 <dom> ... only for isolated web apps where resources are packaged in a web bundle
08:31:44 <dom> Niklas: I used to work on a Web app that used iframe extensively for a widget system
08:31:50 <dom> s/iframe/iframes/
08:32:21 <dom> ... it would be cool to have full control over the embedded pages when combine frames in your main app
08:32:56 <dom> ... I need to get a better understanding of isolated web apps
08:33:33 <dom> Rayan: the explainer details how it differs from iframes and why it is necessary
08:33:58 <dom> Topic: AOB
08:34:22 <dom> Rayan: there is ongoing work on a device attestation API - which is particularly useful for WebViews
08:34:38 <dom> ... e.g. a banking app wanting to ensure they're running on a non-compromised device
08:35:03 <dom> ... it relies on a trusted source that gives signed tokens on whether the device has been root, whether the app is trusted, etc
08:35:20 <dom> ... expect an explainer coming in this space to the CG
08:36:52 <dom> Dom: may be worth surfacing that use case in our usage doc
08:39:37 <dom> Rayan: note that this would be a Web Platform feature, not just for WebViews - it has utility in anti-fraud contexts
08:40:21 <dom> ... but let's wait to see the explainer when we can react with a more detailed proposal
08:40:34 <dom> Niklas: looking forward to this, in particular a clearer sense of the use cases
08:41:13 <dom> RRSAgent, draft minutes
08:41:14 <RRSAgent> I have made the request to generate https://www.w3.org/2023/03/22-webview-minutes.html dom
08:41:16 <dom> RRSAgent, make log public
08:42:57 <dom> Meeting: WebView CG meeting
08:42:58 <dom> RRSAgent, draft minutes
08:43:00 <RRSAgent> I have made the request to generate https://www.w3.org/2023/03/22-webview-minutes.html dom