Isolated Web App
Full Title or Meme
An Isolated Web App is packaged into Web Bundles, signed by their developer, and distributed to end-users.
Context
- Isolated Web Apps extend Progressive Web App installation and Web Packaging to provide stronger protection against server compromise and other tampering. A small set of security-sensitive applications require this to migrate from Chrome Apps, Electron, or other web-adjacent solutions.
- As of 2023 this feature will only be available on desktop and not Smartphones.
Rather than being hosted on live web servers and fetched over HTTPS, these applications are packaged into Web Bundles, signed by their developer, and distributed to end-users through one or more of the potential methods described in the explainer.
Blink component UI>Browser>WebAppInstalls>Isolated (component request filed)
Explainer https://github.com/reillyeon/isolated-web-apps/blob/main/README.md
Motivation
Content Security Policy (CSP) provides strong protection against cross-site scripting (XSS) vulnerabilities. Transport Layer Security (TLS) and Subresource Integrity (SRI) provide protection against resources being tampered with in transit or when hosted on third-party servers. However, the threat model for some particularly security sensitive applications includes the main application server itself being compromised and serving malicious content. This goes beyond the protections that current policies can provide and requires exploring alternative ways that these applications could be distributed and validated.
