rayankans
commented
2 years ago Thanks for bringing this up @muodov!
Access to cross-origin/3P web content (i.e web content that is not owned by the host application) can have serious security/privacy implications (example).
I think it makes sense to follow the web's security model here, since the web was designed to be composable through the use of iframes. Embedding web content in a native app can be thought of in the same way as having an iframe on your website, where the native app is the top-level context and the WebView is the iframe. The web contents of an iframe are only accessible if it's a same-origin (which would map to being a 1P web page in the world of WebViews).
However, this model would also block some valid use cases, like #4 (Building opinionated browsers). My thinking is that same-origin policies should be applied to WebViews, unless an app declares itself to be a browser (receives special browser permissions), or involves some form of user consent (similar to the extensions topic which came up in previous CG meetings; extensions allow an elevated level of control over web content, however they are explicitly installed by users).
I'd love to hear more from people who build hybrid apps & modify 3P web content, since this doesn't technically fall under the "building a browser" scenario.
muodov
QingAn
There's been a few conversations where security concerns were raised (1, 2, 3, 4, 5)
In particular, there seems to be a recurring question about whether same-origin policy should apply to the native context. Shall we discuss different perspectives here?