Compare commits

...

3 Commits

Author SHA1 Message Date
fria
2e84b1b7e2
Merge aa4d388c20 into 2d44ecf8a6 2024-11-24 20:10:23 -06:00
fria
aa4d388c20
wording 2024-11-24 20:10:21 -06:00
fria
89f2c1de8e
add article on web bundling 2024-11-24 20:06:56 -06:00

View File

@ -17,7 +17,7 @@ The concept of a [Progressive Web App](https://developer.mozilla.org/en-US/docs/
## Current Web-Based Apps ## Current Web-Based Apps
Attempts at similar things have been made before, notably the infamous [Electron](https://www.electronjs.org) allows developers to easily create cross-platform apps by essentially bundling an entire chromium browser in with the app. This approach has its [drawbacks](https://usa.kaspersky.com/blog/electron-framework-security-issues/28952/?srsltid=AfmBOor_UcYY-84soHz5K2ULTmhlX44-DsIfJp_StotBrusD63MweSGO), though. Browsers have huge attack surface so it's important to keep them updated, but many Electron apps ship outdated versions, leaving those apps vulnerable. Each app will have its own version of chromium with its own attack surface, adding up to a performance and security nightmare. PWAs use the browser that you already have installed, so as long as you keep it updated all your apps will have all the latest security fixes. Attempts at similar things have been made before, notably the infamous [Electron](https://www.electronjs.org) allows developers to easily create cross-platform apps by essentially bundling an entire chromium browser in with the app. This approach has its [drawbacks](https://usa.kaspersky.com/blog/electron-framework-security-issues/28952/?srsltid=AfmBOor_UcYY-84soHz5K2ULTmhlX44-DsIfJp_StotBrusD63MweSGO), though. Browsers have huge attack surface so it's important to keep them updated, but many Electron apps ship outdated versions, leaving those apps vulnerable. Each app will have its own version of chromium with its own attack surface, adding up to a performance and security nightmare. In contrast, PWAs use the browser that you already have installed, so as long as you keep it updated all your apps will have all the latest security fixes.
So why isn't every Electron app shipping as a PWA? The answer is an age old problem with web content: the fact that you have to trust the server fully. You make an HTML GET request and you're served the content, but if the server is compromised, you'll be served a compromised website. You also need to rely on the security of DNS name resolution and the [certificate authority](https://www.digicert.com/blog/what-is-a-certificate-authority) system. This is a huge problem for security-sensitive applications like messengers. An attacker that gains access to their server even just temporarily, could distribute compromised clients to millions of people, potentially breaking E2EE or any other number of malicious actions. So why isn't every Electron app shipping as a PWA? The answer is an age old problem with web content: the fact that you have to trust the server fully. You make an HTML GET request and you're served the content, but if the server is compromised, you'll be served a compromised website. You also need to rely on the security of DNS name resolution and the [certificate authority](https://www.digicert.com/blog/what-is-a-certificate-authority) system. This is a huge problem for security-sensitive applications like messengers. An attacker that gains access to their server even just temporarily, could distribute compromised clients to millions of people, potentially breaking E2EE or any other number of malicious actions.
@ -40,6 +40,6 @@ IWAs use a totally new [URL scheme](https://github.com/WICG/isolated-web-apps/bl
## Issues ## Issues
The [Worldwide Web Consortium](https://www.w3.org) currently has an open issue on their GitHub for IWAs with some interesting discussions that are worth checking out. There are some [criticisms](https://github.com/w3ctag/design-reviews/issues/842#issuecomment-1989631915) of IWAs, at least in their current form. A big point of contention is giving IWAs access to more powerful features like raw TCP and UDP socket access, similar to what a natively installed app might be able to do, which Martin Thomson at Mozilla argues is dangerous even with user consent. It'll be a long process of iterating on the design before a version of this idea that's secure and available across browsers. The [Worldwide Web Consortium](https://www.w3.org) currently has an open issue on their GitHub for IWAs with some interesting discussions that are worth checking out. There are some [criticisms](https://github.com/w3ctag/design-reviews/issues/842#issuecomment-1989631915) of IWAs, at least in their current form. A big point of contention is giving IWAs access to more powerful features like raw TCP and UDP socket access, similar to what a natively installed app might be able to do, which Martin Thomson at Mozilla argues is dangerous even with user consent. Martin has a nice in-depth [article](https://lowentropy.net/posts/bundles/) on bundling web content that's worth checking out on their website. It'll be a long process of iterating on the design before a version of this idea that's secure and available across browsers.
Right now, Chrome ships the feature [enabled by default](https://chromestatus.com/feature/5146307550248960) but only on ChromeOS for admin-controlled machines and select development partners of Google. Safari and Firefox haven't implemented the feature, with [Firefox](https://github.com/mozilla/standards-positions/issues/799#issuecomment-2342084330) taking a stance against it. Perhaps in its trial run the technology will prove its potential, or maybe IWAs aren't the best solution after all and another attempt will come along. I'll be watching with great interest either way. Right now, Chrome ships the feature [enabled by default](https://chromestatus.com/feature/5146307550248960) but only on ChromeOS for admin-controlled machines and select development partners of Google. Safari and Firefox haven't implemented the feature, with [Firefox](https://github.com/mozilla/standards-positions/issues/799#issuecomment-2342084330) taking a stance against it. Perhaps in its trial run the technology will prove its potential, or maybe IWAs aren't the best solution after all and another attempt will come along. I'll be watching with great interest either way.