-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Web Install API - Cross-Origin #946
Comments
@plinss, @hober and I looked at this today during a breakout. We didn't quite understand how the flow is supposed to work for the app store use case. How would the app store get manifest ids, given that it seems the only way to procure a manifest id is after installation? Why not simply provide URLs to manifest files? What does the additional complexity of a manifest id get us? Also, the |
Hola @hober @plinss and @LeaVerou, Thanks for your patience! In the app store use case, the developer must already have this information. Could be asked when an app is being submitted or previous information that someone wanting to link and install 3P apps can easily find out. For cross-origin installs, the installing origin needs to have the to-be-installed origin's manifest id beforehand. Part of the reason we prefer to have an id for the app instead of pointing to the manifest's URL is because this URL can change. The About CORS I think this is good feedback! I'd like to keep CORS functionality implementation open to a future/parallel expansion of Web Install for sure. To start though, CORS is a bit less developer friendly, and thinking about developer ergonomics I'd like to have the install origins definition not rely (only) on headers. If both CORS and manifest |
@diekus wrote:
Why? Having a manifest at all isn't required for the same-origin installation case, so why require it in the cross-origin one? |
Put another way: if any website can provide a button for the user to add it to the Home Screen or Dock, and if it's reasonable for some other website to be able to initiate that on the original site's behalf (a premise I'm not personally sold on but let's grant it for the sake of this conversation), why would we limit the second scenario to a(n inscrutable to the user) subset of websites? |
Hola @hober, thanks for your feedback, we've been pondering about the implications of First, we want to make both use cases require an This resolves the concern in a way that makes the API consistent independent of the use case (same/cross-origin) and doesn't require the same-origin to-be-installed-content to have a manifest id or to be a web app. We believe it prevents developers from creating a bad app ecosystem as well. In the case of cross-origin installations, the requirement is to be an installable app and to require a manifest due to bad actor potential and avoiding a bad site to install any URL. This is achieved by opting into the installation sources field, which is present in a manifest file. |
In case it's helpful, I modified my earlier proposal here to match what Diego is proposing after we had a discussion. I am in alignment with Diego here, and that doc goes a little more in depth into the use-cases & edge cases here related to supplying an id field. |
for reference, linking here to developer feedback that is outside of the big browser vendors. There is appetite for this feature, and I find it encouraging that in a thread talking about the web not belonging to anyone, it's actual 3P developers the ones stepping up with signs of support. <3 w3ctag/ethical-web-principles#120 (comment) |
Thanks for bearing with us. Looking at this proposal again from first principles, it seems like a way to reduce the friction between discovering an app and installing it. The web doesn't need any new APIs for someone to build an application repository to search for apps; that's just a filter in a search engine. We don't need a new API to let someone curate the results in such a search engine according to their current trustworthiness. Without this proposal, the quickest route from an app-search results page to installing an app seems to be:
With this proposal, a browser could eliminate the middle two steps:
The TAG is split on whether that's potentially an improvement, with a majority thinking it isn't. Given that any given app is installed just once in its lifetime, one click is not a high price. There are several benefits to that: installation is controlled by the origin that will be installed, it doesn't require the creation of a bunch of machinery, and the installation is both attributable and accountable to the correct entity. If you think we need to eliminate that click, your explainer should present some supporting evidence. If you persist here, and you have UI in mind to deal with all of those issues, we think that a declarative model is likely to work better than the current imperative proposal. You identified a link attribute in your Alternatives Considered section, but maybe a new link relation type would work better than a new It is not clear to us why sites need to be able to control which stores can install them. This is the most centralizing aspect of the proposal: if a newly-created store needs to get the approval of hundreds of apps before it can be a viable store, you've created a moat around the incumbents. What would make that necessary in this model? The proposed The TAG remains conflicted on this proposal. A number of us are firmly of the view that this feature is unnecessary, both in terms of its justification and in terms of the cost. While that is the prevailing view, others are looking to find ways to enable browser experimentation that minimize the potential harm, especially to users and browsers that don't adopt this change. Overall, we'd prefer to see this not go ahead at all, but if it does, we'd like to keep talking through the above options or others that might reduce the potential harm. |
There seems to be some confusion in this thread. Some folks seem to be conflating browser-facilitated prompting based on browser quality signals with user-initiated flows that come from browser UI. Browsers that support browser-facilitated prompting have long required quality gates, including conformant manifests. The proposal here is explicitly to extend that system to cross-origin prompting. Browsers that don't provide any sort of developer-facilitated and controlled prompting are a long way from getting any value from It only really makes sense for browsers that support developers in promoting their web apps on the same origin to extend that support to cross-origin cases with |
Thanks for the discussion at TPAC. We're going to close this review for now, although feel free to re-open it once you've updated the explainer to deal with some of the concerns described above, and you're ready for us to re-review it. |
Hola TAG!
I'm requesting an early TAG review of the Web Install API.
The Web Install API allows a web site to install a web app (cross domain). This functionality allows the creation of web based catalogues that can install PWAs directly from the web and into multiple platforms.
Diego Gonzalez, GitHub, Microsoft
Further details:
You should also know that...
there's plenty of positive developer feedback for an API like this one!
The text was updated successfully, but these errors were encountered: