Intent to Ship: Isolated Web Apps
Robbie McElrath
Contact emails
rmce...@chromium.org, rei...@chromium.org
Explainer
https://github.com/WICG/isolated-web-apps/blob/main/README.md
Specification
https://wicg.github.io/isolated-web-apps/isolated-contexts
Summary
Isolated Web Apps (IWAs) are an extension of existing work on PWA installation and Web Packaging that provide stronger protections against server compromise and other tampering that is necessary for developers of security-sensitive applications.
Rather than being hosted on live web servers and fetched over HTTPS, these applications are packaged into Web Bundles and signed by their developer. For this initial launch, installation can only be triggered by enterprise policy on managed devices.
Blink component
TAG review
https://github.com/w3ctag/design-reviews/issues/842
TAG review status
Pending
Risks
Interoperability and Compatibility
Gecko: No signal (https://github.com/mozilla/standards-positions/issues/799)
WebKit: No signal (https://github.com/WebKit/standards-positions/issues/184)
Web developers: Several companies have reached out asking about IWA availability (can’t name them publicly), the iwa...@chromium.org list is active, and there’s been some interest in the WICG repo.
Other signals:
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
N/A. Feature not compiled in Android.
Debuggability
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?
No, the initial launch is scoped to ChromeOS only.
Is this feature fully tested by web-platform-tests?
No, IWAs are built on top of PWA infrastructure, which isn’t currently supported by WPT.
Flag name on chrome://flags
#enable-isolated-web-apps
Finch feature name
IsolatedWebApps
Requires code in //chrome?
True
Launch bug
https://launch.corp.google.com/launch/4234446
Measurement
We have histograms measuring the following (see WebApp.Isolated.*):
Installation result
Update result
Orphaned bundle cleanup job result
Bundle verification (signature and file format) result
Bundle resource read result
Availability expectation
Initially only available on ChromeOS, with other platforms following at a later date.
Adoption expectation
Expected to be used initially by a small number (<10) number of partners, but any enterprise admin could develop and deploy an IWA if they choose.
Adoption plan
Working directly with partners for whom IWAs are an appropriate solution.
Non-OSS dependencies
Key rotations are handled by the Component Updater, which receives Google-managed configuration data.
Sample links
https://github.com/GoogleChromeLabs/telnet-client
https://github.com/WICG/controlled-frame/tree/main/test_app
Estimated milestones
Anticipated spec changes
Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).
We recently added support for Integrity Block v2 to Signed Web Bundles, which hasn’t been spec’d yet. We’re supporting both Integrity Block formats for a few releases while partners migrate before dropping support for v1.
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5146307550248960
Links to previous Intent discussions
Intent to prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAEmk%3DMayyUjocrvyQKgu-bZy_4z5VJ0ijHCAijBTZY2xLwJpJQ%40mail.gmail.com
This intent message was generated by Chrome Platform Status.
Mike Taylor
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5146307550248960
Links to previous Intent discussions
Intent to prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAEmk%3DMayyUjocrvyQKgu-bZy_4z5VJ0ijHCAijBTZY2xLwJpJQ%40mail.gmail.com
This intent message was generated by Chrome Platform Status.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CANtkjcS1A2rO%2BvHnnPXqc6sxhjenearhCGx9vxt%2BcKqM5otDfA%40mail.gmail.com.
Robbie McElrath
Are there any things that an IWA needs that DevTools can't currently do?
Can you say more about this please? Or is there an issue or explainer to read for more context? Is there a plan to do the spec work?
Link to entry on the Chrome Platform Statushttps://chromestatus.com/feature/5146307550248960
Links to previous Intent discussionsIntent to prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAEmk%3DMayyUjocrvyQKgu-bZy_4z5VJ0ijHCAijBTZY2xLwJpJQ%40mail.gmail.com
This intent message was generated by Chrome Platform Status.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.