Isolated Web App
Contents
Full Title or Meme
An Isolated Web App is packaged into Web Bundles, signed by their developer, and distributed to end-users.
Context
- Isolated Web Apps extend Progressive Web App installation and Web Packaging to provide stronger protection against server compromise and other tampering. A small set of security-sensitive applications require this to migrate from Chrome Apps, Electron, or other web-adjacent solutions.
- As of 2023 this feature will only be available on desktop and not Smartphones.
Rather than being hosted on live web servers and fetched over HTTPS, these applications are packaged into Web Bundles, signed by their developer, and distributed to end-users through one or more of the potential methods described in the explainer.
Blink component UI>Browser>WebAppInstalls>Isolated (component request filed)
Explainer https://github.com/reillyeon/isolated-web-apps/blob/main/README.md
Motivation
Content Security Policy (CSP) provides strong protection against cross-site scripting (XSS) vulnerabilities. Transport Layer Security (TLS) and Subresource Integrity (SRI) provide protection against resources being tampered with in transit or when hosted on third-party servers. However, the threat model for some particularly security sensitive applications includes the main application server itself being compromised and serving malicious content. This goes beyond the protections that current policies can provide and requires exploring alternative ways that these applications could be distributed and validated.
Activation
Developers must build an IWA to use the Controlled Frame API. The IWA they build must then be deployed, currently using managed distribution via enterprise policy. These hurdles present significant activation risk since each of these are new technologies and require interaction with multiple systems.
Once the IWA is built, using the Controlled Frame element may require some direct engagement since the methods used to interact with embedded content are complicated. We recommend additional developer documentation and outreach directly with development partners.
Problems
- While it is claimed that they "will have useful security properties unavailable to normal web pages."[1] they will NOT be able to use (in 2025) the features available in the TEE.
- The API allows embedding third-party (non-IWA) content. The content will be loaded within dedicated storage partitions managed by the embedding application and won't have access to the same site's content as if it was loaded in a tab.
Controlled Frame
Adds a Controlled Frame API available only to Isolated Web Apps (IWAs).
- Interoperability and Compatibility This is a new API available only within IWAs. As a new API, it is subject to the risk that other browsers may not implement it. However, other browsers must also implement IWAs, and for now we are advancing this to assist our dev partners that are migrating from Chrome Apps.
This work will add a new Controlled Frame API which is only available to Isolated Web Apps (IWAs). Like WebView APIs on other platforms, Controlled Frame allows embedding all content, even third party content that can't be embedded in <iframe>. Controlled Frame also allows controlling embedded content with a collection of API methods and events.
References
- ↑ Isolated Web Apps Explainer GitHub Github https://github.com/WICG/isolated-web-apps/blob/main/README.md