Skip to content

More on Sites vs. Apps

msrichmond edited this page Jun 5, 2013 · 4 revisions

There are two different runtime/security models for web pages in web Browsers vs. standalone apps executing on a runtime. Apps on a runtime can generally use APIs designed for web pages, but not the reverse.

Browsers cannot trust the content they display, since browsers can go to any page on the web. Browsers can also be used to identify and track users through capability fingerprinting, following them as the go from web page to web page (e.g. knowing extension versions, codecs, fonts, screen size, it doesn’t take a lot more to identify a specific device).

Separate installed apps (on a runtime) do not act as browsers and are more trusted by users. Since they aren’t used to surf the web don’t have the same fingerprinting issues.

The consequence of that is if an API could cause the user serious harm if they accidentally say “yes” when they should have said “no”, the API is not allowed in a browser. Due to fingerprinting, browser APIs are written to reveal as little device information as possible. So instead of getting lists of all capabilities available, the web page asks for use of particular capabilities and it gets a successful response or not.

That leaves a lot of things a native app can do that a web page can’t. The W3C SysApps Working Group is intended for those APIs that (at least at present) browsers won’t do. (there could be some other browser security model in the future for trusted pages, but not now).

When the SysApps WG was being planned, there was a very long list of missing APIs and the people defining the Working Group voted on which they thought most important and made offers to help. There was far too much to do, so the initial charter has a limited number of specs to make it reasonable to complete in a fairly short time.

In general, if the user saying 'yes' could lead to bad consequences or something would help identify and track users, it won’t be an API for use in Web pages. If a feature is in very high demand, that rule gets bent, but it generally holds. Standalone apps that are specifically installed don’t have those same limitations. APIs for web pages are created in a very large number of W3C WGs. SysApps does the ones that are only for standalone apps.

Introduction

Clone this wiki locally