On Fri, Mar 16, 2012 at 6:07 PM, Mounir Lamouri <
mou...@lamouri.fr> wrote:
> AFAIK, right now, all applications in B2G are in an <iframe mozbrowser>,
> the browser app like the other apps.
>
Most of them are, yes. But Chris Jones has suggested that we create another
iframe attribute called "mozapp" which has a subset of the mozbrowser
functionality. This is because the homescreen doesn't necessarily need all
the privileges over app content that the browser app needs over web page
content. Chris has suggested that mozapp iframes should be a black box that
the homescreen can't look into, but that acts as a window.top boundary and
ignores X-Frame Options headers like mozbrowser does. I only think we
should look to create this if there are clearly distinct use cases for the
two.
Another alternative is to use a similar syntax to <iframe sandbox> where
you turn mozbrowser features on and off at a more granular level, so you
could create an <iframe mozbrowser> that just acts as a window.top boundary
but doesn't have any other features like emitting events and allowing
access to history for example. The other extreme would be to propose two
new HTML elements <browser> and <window>!
>
> If I understood it correctly, the reason why non-browser apps are inside
> an <iframe mozbrowser> is to prevent frame busting and also let the
> application believe it's is not inside an iframe because some
> application are "remote" like the Facebook app that is loading
>
m.facebook.com and websites very often check that they are not inside an
> iframe and behave differently in that case.
>
That is correct and there's nothing special about the browser app in this
regard. The browser app is actually an <iframe mozbrowser> that contains a
nested <iframe mozbrowser> in which web page content is loaded. The nested
iframe is actually the one which uses all the mozbrowser features in that
the outer iframe can listen for cross-origin events which wouldn't usually
escape out of the inner iframe like loadstart, loadstop and locationchange.
> The frame busting should be fixable with the sandbox attribute [1] on
> the iframe element but faking that the iframe is at the top level is
> harder. We could add another proprietary attribute to the iframe element
> but I don't think there is a real usage for that in the web in general.
> Another solution would be to create a brand new element like
> <application> that would be like an iframe but with all specificities
> required for an application. However, that seems a bit too much.
> Instead, I tend to think we should not worry about applications that
> check if they are at the top level window. Indeed, that seems completely
> reasonable for a website that aims to be opened by a browser to check
> that but an installed web app shouldn't behave the same way.
>
A lot of web sites check that they're not inside an iframe and either try
to bust out of it or refuse to render, usually to prevent phishing. We
should allow this to continue to happen for non-mozbrowser or non-mozapp
iframes.
If we wanted
touch.facebook.com to become an Open Web App, we couldn't ask
that they turn off their frame busting, because it's still necessary on
other platforms. I think its likely that many "apps" may be used both as an
installed web app and as a web site in a standard browser.
>
> Basically, that would create a distinction between installed web apps
> and bookmarked websites. Bookmarked websites would be websites with an
> icon in the user homescreen that will open a browser without a UI (aka
> <iframe mozbrowser> for the moment) but installed web apps will be
> opened inside an <iframe sandbox>.
>
We could potentially load bookmarks in an <iframe mozbrowser> and apps in
an <iframe mozapp> or <iframe sandbox> if that fulfils all the
requirements. What user interface elements are displayed is a separate UX
issue.
>
> The second point I would like to rise is to use <browser> instead of
> <iframe mozbrowser>. I think <browser> is nicer regarding semantic. It
> will also prevent us to take all the iframe stuff we might not really
> need and will make the Browser API (or whatever the name is) easier to
> standardized (and likely implement) because more isolated.
>
I wouldn't be opposed to this. I also wouldn't be opposed to proposing a
<window> or <app> element to wrap apps in and make it easier for a
homescreen as a web app to act as a window manager - but I struggle to see
the incentive for other vendors to implement these HTML elements.
> I have the feeling that specializing <iframe> behavior for the browser
> app has been done because the iframe represents a nested browsing
> context. However, there are other elements in HTML that represents a
> nested browsing context (like <object> or <frame>) so adding one doesn't
> seem wrong. Unless we need some specific features the <iframe> has or
> there is a strong semantic link between those.
>
I think it's more because proposing a new HTML element seems like a bigger
jump when an ordinary iframe and a mozbrowser iframe have so much in
common, but perhaps this isn't the case.