rmce...@chromium.org, rei...@chromium.org
https://github.com/WICG/isolated-web-apps/blob/main/README.md
https://wicg.github.io/isolated-web-apps/isolated-contexts
Isolated Web Apps (IWAs) are an extension of existing work on PWA installation and Web Packaging that provide stronger protections against server compromise and other tampering that is necessary for developers of security-sensitive applications.
Rather than being hosted on live web servers and fetched over HTTPS, these applications are packaged into Web Bundles and signed by their developer. For this initial launch, installation can only be triggered by enterprise policy on managed devices.
https://github.com/w3ctag/design-reviews/issues/842
Pending
Gecko: No signal (https://github.com/mozilla/standards-positions/issues/799)
WebKit: No signal (https://github.com/WebKit/standards-positions/issues/184)
Web developers: Several companies have reached out asking about IWA availability (can’t name them publicly), the iwa...@chromium.org list is active, and there’s been some interest in the WICG repo.
Other signals:
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
N/A. Feature not compiled in Android.
No, the initial launch is scoped to ChromeOS only.
No, IWAs are built on top of PWA infrastructure, which isn’t currently supported by WPT.
#enable-isolated-web-apps
IsolatedWebApps
True
https://launch.corp.google.com/launch/4234446
We have histograms measuring the following (see WebApp.Isolated.*):
Installation result
Update result
Orphaned bundle cleanup job result
Bundle verification (signature and file format) result
Bundle resource read result
Initially only available on ChromeOS, with other platforms following at a later date.
Expected to be used initially by a small number (<10) number of partners, but any enterprise admin could develop and deploy an IWA if they choose.
Working directly with partners for whom IWAs are an appropriate solution.
Key rotations are handled by the Component Updater, which receives Google-managed configuration data.
https://github.com/GoogleChromeLabs/telnet-client
https://github.com/WICG/controlled-frame/tree/main/test_app
Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).
We recently added support for Integrity Block v2 to Signed Web Bundles, which hasn’t been spec’d yet. We’re supporting both Integrity Block formats for a few releases while partners migrate before dropping support for v1.
https://chromestatus.com/feature/5146307550248960
Intent to prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAEmk%3DMayyUjocrvyQKgu-bZy_4z5VJ0ijHCAijBTZY2xLwJpJQ%40mail.gmail.com
This intent message was generated by Chrome Platform Status.
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5146307550248960
Links to previous Intent discussions
Intent to prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAEmk%3DMayyUjocrvyQKgu-bZy_4z5VJ0ijHCAijBTZY2xLwJpJQ%40mail.gmail.com
This intent message was generated by Chrome Platform Status.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CANtkjcS1A2rO%2BvHnnPXqc6sxhjenearhCGx9vxt%2BcKqM5otDfA%40mail.gmail.com.
Are there any things that an IWA needs that DevTools can't currently do?
Can you say more about this please? Or is there an issue or explainer to read for more context? Is there a plan to do the spec work?
Link to entry on the Chrome Platform Statushttps://chromestatus.com/feature/5146307550248960
Links to previous Intent discussionsIntent to prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAEmk%3DMayyUjocrvyQKgu-bZy_4z5VJ0ijHCAijBTZY2xLwJpJQ%40mail.gmail.com
This intent message was generated by Chrome Platform Status.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
Thanks - before I jump too deeply into the review, would you mind
requesting the various review gate bits in your chromestatus
entry?
Thanks for taking a look Mike!Are there any things that an IWA needs that DevTools can't currently do?
No, the IWA security rules are enforced with existing web primitives (CSP/TT, permissions policy, COI) that already have DevTools support. There is some non-DevTools tooling needed to build and sign the bundle, but I don't think there's a use case for adding bundle-related functionality into DevTools.
Can you say more about this please? Or is there an issue or explainer to read for more context? Is there a plan to do the spec work?
Integrity block v2 was recently proposed to address key rotation related issues with v1. The internal design doc is here: go/iwa-key-rotation. Yes, we will be speccing this.
Thanks - before I jump too deeply into the review, would you mind requesting the various review gate bits in your chromestatus entry?
No, the IWA security rules are enforced with existing web primitives (CSP/TT, permissions policy, COI) that already have DevTools support. There is some non-DevTools tooling needed to build and sign the bundle, but I don't think there's a use case for adding bundle-related functionality into DevTools.Makes sense. Are there plans to build said tooling and make it available to ease adoption?
Integrity block v2 was recently proposed to address key rotation related issues with v1. The internal design doc is here: go/iwa-key-rotation. Yes, we will be speccing this.Great - any idea of when you might have some version of a spec draft ready?
The standard-positions issues with Mozilla and WebKit seem to have been forgotten since they were filed more than a year ago. I think it would be a good idea to ping the issues and let them know that this is currently going through the shipping process.
/Daniel
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/00d31784-ba95-4e02-99a7-1893e7aa7e06n%40chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/00d31784-ba95-4e02-99a7-1893e7aa7e06n%40chromium.org.