Intent to Prototype: Lock Screen API

[Louise Brett]

Contact emails

loub...@google.com, gle...@chromium.org, mgi...@chromium.org

Explainer

https://github.com/WICG/lock-screen/blob/main/README.md

Specification

None

Summary

An API for enabling web applications on the lock screen of a device. The API would provide a way for web applications to indicate they can be run on the lock screen, pass data from the lock screen instance of the app to the unlocked instance (and vice versa), and be notified when there is data available.

Blink component

Blink

Motivation

This is needed for enabling web apps on the lock screen of a device. This would allow users to use web apps for tasks such as checking a calendar, using a calculator, taking a photo, or taking a note, all without going through the extra step to unlock their device first. Such an API would be applicable to both desktop and mobile platforms, though it will require some operating system support to implement it.

Initial public proposal

https://discourse.wicg.io/t/proposal-lock-screen-api/4372/2

TAG review

None

TAG review status

Pending

Risks

Interoperability and Compatibility

None

Gecko: No signal

WebKit: No signal

Web developers: No signals

Is this feature fully tested by web-platform-tests?

No

Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=1006642

Link to entry on the Chrome Platform Status

https://www.chromestatus.com/feature/6575595884380160

This intent message was generated by Chrome Platform Status.

[Yifan Luo]

Hey there,

According to the explainer, there seems to be several security & privacy issues there and no detailed solution shows up.

Would you mind providing any detail plan/design about:

1. How would you like to limit the login actions, sensitive data transfers, sensitive data exposure in the lock screen API? 

2. How would the persistent UI would be like? 

3. How would the user controlled switch for allow/disallow a certain web app worked? Will there be any new OS level API help to make it possible?

Thanks,

Yifan

[Louise Brett]

Hi Yifan,

We can’t add Chrome OS specific details to the explainer but there is a (Google only) doc that you can refer to at go/lock-screen-web-api.

Would you mind providing any detail plan/design about:

1. How would you like to limit the login actions, sensitive data transfers, sensitive data exposure in the lock screen API? 

This relies on the app to some extent. With this API apps have to explicitly send data to the lock screen which forces apps to think about what data they want to send to avoid accidently exposing data. We are considering clearing cookies each time the lock screen app is closed so if the app allows the user to log in, they will be logged out again. We are currently discussing options here with security, Hardik Goyal is our main contact.

 
2. How would the persistent UI would be like? 

This will be the same/similar to what we have on ChromeOS today when running Google Keep on the lock screen. This is a bar at the bottom of the screen with an unlock button at the left and the time and battery on the right.

 
3. How would the user controlled switch for allow/disallow a certain web app worked? Will there be any new OS level API help to make it possible?

Currently on Chrome OS, there is a setting for this in stylus settings. Web apps must be enabled by the user in settings before it can be used on the lock screen.

Cheers,

Louise

[Yifan Luo]

Hey Louise,

Thanks for your info. Looks good to me.

Best,

Yifan

--

Yifan