Intent to Ship: Isolated Web Apps

956 views
Skip to first unread message

Robbie McElrath

unread,
Jul 12, 2024, 11:27:00 AM7/12/24
to blink-dev, Reilly Grant

Contact emails

rmce...@chromium.org, rei...@chromium.org


Explainer

https://github.com/WICG/isolated-web-apps/blob/main/README.md


Specification

https://wicg.github.io/isolated-web-apps/isolated-contexts


Summary

Isolated Web Apps (IWAs) are an extension of existing work on PWA installation and Web Packaging that provide stronger protections against server compromise and other tampering that is necessary for developers of security-sensitive applications.


Rather than being hosted on live web servers and fetched over HTTPS, these applications are packaged into Web Bundles and signed by their developer. For this initial launch, installation can only be triggered by enterprise policy on managed devices.


Blink component

Blink


TAG review

https://github.com/w3ctag/design-reviews/issues/842


TAG review status

Pending


Risks


Interoperability and Compatibility


Gecko: No signal (https://github.com/mozilla/standards-positions/issues/799)


WebKit: No signal (https://github.com/WebKit/standards-positions/issues/184)


Web developers: Several companies have reached out asking about IWA availability (can’t name them publicly), the iwa...@chromium.org list is active, and there’s been some interest in the WICG repo.


Other signals:


WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

N/A. Feature not compiled in Android.



Debuggability



Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?

No, the initial launch is scoped to ChromeOS only.


Is this feature fully tested by web-platform-tests?

No, IWAs are built on top of PWA infrastructure, which isn’t currently supported by WPT.


Flag name on chrome://flags

#enable-isolated-web-apps


Finch feature name

IsolatedWebApps


Requires code in //chrome?

True


Launch bug

https://launch.corp.google.com/launch/4234446


Measurement

We have histograms measuring the following (see WebApp.Isolated.*):

  • Installation result

  • Update result

  • Orphaned bundle cleanup job result

  • Bundle verification (signature and file format) result

  • Bundle resource read result


Availability expectation

Initially only available on ChromeOS, with other platforms following at a later date.


Adoption expectation

Expected to be used initially by a small number (<10) number of partners, but any enterprise admin could develop and deploy an IWA if they choose.


Adoption plan

Working directly with partners for whom IWAs are an appropriate solution.


Non-OSS dependencies

Key rotations are handled by the Component Updater, which receives Google-managed configuration data.


Sample links


https://github.com/GoogleChromeLabs/telnet-client

https://github.com/WICG/controlled-frame/tree/main/test_app


Estimated milestones

Shipping on desktop

128


Anticipated spec changes

Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).


We recently added support for Integrity Block v2 to Signed Web Bundles, which hasn’t been spec’d yet. We’re supporting both Integrity Block formats for a few releases while partners migrate before dropping support for v1.


Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5146307550248960


Links to previous Intent discussions

Intent to prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAEmk%3DMayyUjocrvyQKgu-bZy_4z5VJ0ijHCAijBTZY2xLwJpJQ%40mail.gmail.com


This intent message was generated by Chrome Platform Status.

Mike Taylor

unread,
Jul 15, 2024, 11:32:50 AM7/15/24
to Robbie McElrath, Reilly Grant, blink-dev
Are there any things that an IWA needs that DevTools can't currently do?
Can you say more about this please? Or is there an issue or explainer to read for more context? Is there a plan to do the spec work?

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5146307550248960


Links to previous Intent discussions

Intent to prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAEmk%3DMayyUjocrvyQKgu-bZy_4z5VJ0ijHCAijBTZY2xLwJpJQ%40mail.gmail.com


This intent message was generated by Chrome Platform Status.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CANtkjcS1A2rO%2BvHnnPXqc6sxhjenearhCGx9vxt%2BcKqM5otDfA%40mail.gmail.com.

Robbie McElrath

unread,
Jul 15, 2024, 2:44:40 PM7/15/24
to blink-dev, Mike Taylor, Reilly Grant, blink-dev, Robbie McElrath
Thanks for taking a look Mike!
 
Are there any things that an IWA needs that DevTools can't currently do?

No, the IWA security rules are enforced with existing web primitives (CSP/TT, permissions policy, COI) that already have DevTools support. There is some non-DevTools tooling needed to build and sign the bundle, but I don't think there's a use case for adding bundle-related functionality into DevTools.
 
Can you say more about this please? Or is there an issue or explainer to read for more context? Is there a plan to do the spec work?

Integrity block v2 was recently proposed to address key rotation related issues with v1. The internal design doc is here: go/iwa-key-rotation. Yes, we will be speccing this.
 

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5146307550248960


Links to previous Intent discussions

Intent to prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAEmk%3DMayyUjocrvyQKgu-bZy_4z5VJ0ijHCAijBTZY2xLwJpJQ%40mail.gmail.com


This intent message was generated by Chrome Platform Status.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

Mike Taylor

unread,
Jul 16, 2024, 11:26:01 AM7/16/24
to Robbie McElrath, blink-dev, Reilly Grant

Thanks - before I jump too deeply into the review, would you mind requesting the various review gate bits in your chromestatus entry?

On 7/15/24 2:44 PM, Robbie McElrath wrote:
Thanks for taking a look Mike!
 
Are there any things that an IWA needs that DevTools can't currently do?

No, the IWA security rules are enforced with existing web primitives (CSP/TT, permissions policy, COI) that already have DevTools support. There is some non-DevTools tooling needed to build and sign the bundle, but I don't think there's a use case for adding bundle-related functionality into DevTools.
Makes sense. Are there plans to build said tooling and make it available to ease adoption?

 
Can you say more about this please? Or is there an issue or explainer to read for more context? Is there a plan to do the spec work?

Integrity block v2 was recently proposed to address key rotation related issues with v1. The internal design doc is here: go/iwa-key-rotation. Yes, we will be speccing this.
Great - any idea of when you might have some version of a spec draft ready?

Robbie McElrath

unread,
Jul 16, 2024, 4:20:01 PM7/16/24
to blink-dev, Mike Taylor, Reilly Grant, Robbie McElrath

Thanks - before I jump too deeply into the review, would you mind requesting the various review gate bits in your chromestatus entry?

Done. We've been using launch/ for the approvals so far. I added a link to the corresponding launch/ approval in chromestatus when applicable.

No, the IWA security rules are enforced with existing web primitives (CSP/TT, permissions policy, COI) that already have DevTools support. There is some non-DevTools tooling needed to build and sign the bundle, but I don't think there's a use case for adding bundle-related functionality into DevTools.
Makes sense. Are there plans to build said tooling and make it available to ease adoption?

Yeah, we already have JS tooling available to create bundles, sign bundles (the new integrity block format is already supported), and a webpack and rollup plugin. These make it easy to integrate with existing npm-based flows, see the telnet demo app for an example. There's also a go tool that can build and sign bundles, but it doesn't support integrity block v2 yet. Updating the go version has been lower priority as we don't know of anyone that actually used it.
 
Integrity block v2 was recently proposed to address key rotation related issues with v1. The internal design doc is here: go/iwa-key-rotation. Yes, we will be speccing this.
Great - any idea of when you might have some version of a spec draft ready?

The engineer working on this estimates it being done in the next few weeks.

Daniel Bratell

unread,
Jul 24, 2024, 12:38:09 PM7/24/24
to Robbie McElrath, blink-dev, Mike Taylor, Reilly Grant

The standard-positions issues with Mozilla and WebKit seem to have been forgotten since they were filed more than a year ago. I think it would be a good idea to ping the issues and let them know that this is currently going through the shipping process.

/Daniel

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/00d31784-ba95-4e02-99a7-1893e7aa7e06n%40chromium.org.

Robbie McElrath

unread,
Jul 24, 2024, 1:51:03 PM7/24/24
to blink-dev, Daniel Bratell, Mike Taylor, Reilly Grant, Robbie McElrath
Good idea, I updated both standards positions issues.

Reilly Grant

unread,
Jul 30, 2024, 2:10:06 PM7/30/24
to Robbie McElrath, blink-dev, Mike Taylor
On Tue, Jul 16, 2024 at 1:20 PM Robbie McElrath <rmce...@chromium.org> wrote:

Thanks - before I jump too deeply into the review, would you mind requesting the various review gate bits in your chromestatus entry?

Done. We've been using launch/ for the approvals so far. I added a link to the corresponding launch/ approval in chromestatus when applicable.

No, the IWA security rules are enforced with existing web primitives (CSP/TT, permissions policy, COI) that already have DevTools support. There is some non-DevTools tooling needed to build and sign the bundle, but I don't think there's a use case for adding bundle-related functionality into DevTools.
Makes sense. Are there plans to build said tooling and make it available to ease adoption?

Yeah, we already have JS tooling available to create bundles, sign bundles (the new integrity block format is already supported), and a webpack and rollup plugin. These make it easy to integrate with existing npm-based flows, see the telnet demo app for an example. There's also a go tool that can build and sign bundles, but it doesn't support integrity block v2 yet. Updating the go version has been lower priority as we don't know of anyone that actually used it.
 
Integrity block v2 was recently proposed to address key rotation related issues with v1. The internal design doc is here: go/iwa-key-rotation. Yes, we will be speccing this.
Great - any idea of when you might have some version of a spec draft ready?

The engineer working on this estimates it being done in the next few weeks.

An update to the Integrity Block explainer with the version 2 format landed in https://github.com/WICG/webpackage/pull/892.

Mike Taylor

unread,
Jul 31, 2024, 11:46:55 AM7/31/24
to Reilly Grant, Robbie McElrath, blink-dev

Thanks for the v2 updates.

LGTM1

Chris Harrelson

unread,
Jul 31, 2024, 11:46:58 AM7/31/24
to Reilly Grant, Robbie McElrath, blink-dev, Mike Taylor
LGTM1

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAEmk%3DMYU6qeDa3VVrmUO_SGJ-MPeWJnebHRKiK8HtXQXJwY9gw%40mail.gmail.com.

Mike Taylor

unread,
Jul 31, 2024, 11:48:13 AM7/31/24
to Reilly Grant, Robbie McElrath, blink-dev

or LGTM2 - sorry, race condition.

Vladimir Levin

unread,
Aug 1, 2024, 11:40:48 AM8/1/24
to Mike Taylor, Reilly Grant, Robbie McElrath, blink-dev
My understanding is that IWAs would have to be signed by some entity before they can run (Google?). I was wondering if you had thoughts about a path forward if other browsers also support IWAs or if other companies want to sign and accept those bundles.

Essentially, would it become a somewhat fragmented ecosystem where some web bundles signed by Google are executed by Chrome, and others signed by other providers are executed by other browsers with little overlap? I'm not sure it's a problem, but I was just curious about the possible directions here.

Thanks,
Vlad

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/02549cbf-4750-4edd-8604-fccabecd52bc%40chromium.org.

Robbie McElrath

unread,
Aug 1, 2024, 2:18:10 PM8/1/24
to blink-dev, Vladimir Levin, Reilly Grant, Robbie McElrath, blink-dev, Mike Taylor
For this initial managed accounts only launch, IWAs will only need to be signed by a developer key. That verifies the source of the app, but the trustworthiness signal comes from the fact that an admin chose to install the app on devices.

We do have a longer term plan for countersigning by a trusted party, in which case the bundle could have multiple signatures (separate from the developer signatures), only one of which would need to be trusted by Chrome. That particular design isn't finalized yet, and we don't have an ETA on when it would ship.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/02549cbf-4750-4edd-8604-fccabecd52bc%40chromium.org.

Vladimir Levin

unread,
Aug 1, 2024, 3:01:15 PM8/1/24
to Robbie McElrath, blink-dev, Reilly Grant, Mike Taylor
On Thu, Aug 1, 2024 at 2:18 PM Robbie McElrath <rmce...@chromium.org> wrote:
For this initial managed accounts only launch, IWAs will only need to be signed by a developer key. That verifies the source of the app, but the trustworthiness signal comes from the fact that an admin chose to install the app on devices.

We do have a longer term plan for countersigning by a trusted party, in which case the bundle could have multiple signatures (separate from the developer signatures), only one of which would need to be trusted by Chrome. That particular design isn't finalized yet, and we don't have an ETA on when it would ship.

Ok, thank you for the explanation.

LGTM3
 

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/fb42ff3d-776d-4feb-822b-9d651bdb30e3n%40chromium.org.
Reply all
Reply to author
Forward
0 new messages