Closed xfq closed 3 years ago
We should also figure out the security story for Mini Programs & Quick Apps.
360 Mini Programs is the first implementation that supports desktop.
The MiniApps Ecosystem Community Group was created following discussions at TPAC, to incubate work on MiniApps and serve as a base for analysis and proposals of specific work items.
There are discussions about creating a working group for MiniApps.
Here's the draft WG charter: https://w3c.github.io/miniapp/charters/wg-2020.html
Issues can be filed in https://github.com/w3c/miniapp/issues
Te mention of mapping makes me wonder whether the work of the Maps For HTML Community Group should be examined.
The different requirements for mas in browsers and for maps in MiniApp could also be stressed in the charter (if there are any).
Agreed. Filed an issue here: https://github.com/w3c/miniapp/issues/74
Related standardization effort in IEEE SA: https://standards.ieee.org/project/2858.html
Discussed in Strategy meeting 26 May 2020: https://www.w3.org/2020/05/26-strat-minutes.html#item01
Some follow-up in these issues: https://github.com/w3c/miniapp/issues/75 https://github.com/w3c/miniapp/issues/76 https://github.com/w3c/miniapp/issues/77 https://github.com/w3c/miniapp/issues/79
On the security side, I'm concerned that miniapp environments (superapps) will (and do) bypass many of the protections we've already build in browsers. Merely attesting to the origin of code packages is not enough - I'm interested in how they handle isolation and injection protection - and I'm leery of reinventing something that has already had so much effort put into it. In summary, there needs to be a stronger security story here, particularly to justify the bypassing of browser protections.
Similarly, I'm concerned that duplicating APIs (e.g. device and sensor APIs) in these environments will bypass protections - particularly for fingerprinting - that we have worked hard to get into the our web APIs. Is there a way to start with the baseline of the web APIs, with the protections we've already specified for those?
See also the open issue re: operational considerations: https://github.com/w3c/miniapp/issues/76
Merely attesting to the origin of code packages is not enough - I'm interested in how they handle isolation and injection protection - and I'm leery of reinventing something that has already had so much effort put into it. In summary, there needs to be a stronger security story here, particularly to justify the bypassing of browser protections.
I am no security expert, but here's my preliminary analysis on isolation and injection protection:
eval
and new Function
, XSS is very difficult;I think we should open a separate issue in https://github.com/w3c/miniapp/issues to discuss this issue.
Similarly, I'm concerned that duplicating APIs (e.g. device and sensor APIs) in these environments will bypass protections - particularly for fingerprinting - that we have worked hard to get into the our web APIs. Is there a way to start with the baseline of the web APIs, with the protections we've already specified for those?
This is tracked in https://github.com/w3c/miniapp/issues/79
See also the open issue re: operational considerations: w3c/miniapp#76
Thanks for opening this issue. I'll discuss it with the CG.
no comment/suggestion pointed from i18n.
APA asks @ruoxiran to help review this for accessibility considerations.
Isn't this in the chartering phase per https://www.w3.org/mid/8323ed3a-7f77-d6dc-b779-4f2404addc6e@w3.org (in the "funnel")
I agree. I've moved it to "Chartering".
Accessibility comment is here: https://github.com/w3c/miniapp/issues/139#issue-735831543
Charter under AC review: https://lists.w3.org/Archives/Public/public-new-work/2020Nov/0007.html
Results (limited visibility): https://www.w3.org/2002/09/wbs/33280/miniapps-charter-2020/results
I see that Apple iMessage (a native application) allows Apps to be hosted inside it, and wonder if that would count as Mini Apps?
https://developer.apple.com/design/human-interface-guidelines/ios/extensions/messaging/
@svgeesus iMessage can host other applications indeed, but it uses the Messages framework instead of Web technologies, so I think it depends on how we define MiniApps.
The current definition in the MiniApps WG is in the white paper and the MiniApp Packaging spec.
MiniApps are small, install-free, fast-loading programs which typically are run inside other, larger native applications. They use a mixture of native and Web capabilities. Currently, these are mostly used in China. Examples:
Draft WG charter: https://w3c.github.io/miniapp/charters/wg-2020.html