Web Share Target API #11
Comments
othermaciej
added
topic: web apis
|
Is this an Unofficial Draft of the Web Apps WG? Is it a community group thing? Can't tell the venue from the document itself. |
|
@othermaciej My understanding is that this draft comes from the WICG, as the Specification - Level 2 doc suggests:
https://github.com/WICG/web-share-target/ redirects to https://github.com/w3c/web-share-target. |
|
It's an unofficial draft, but it's in scope for WebApps WG should another implementer become interested: |
|
OK, so for now WICG, but has fast track to go to Web Apps WG depending on interest? |
othermaciej
added
the
venue: WICG
|
That's correct, yes. |
|
@hortont424, thoughts? |
|
Potential security concerns if this allows a website to appear in the Share Sheet with a site-chosen icon and name, as it can then intentionally duplicate a popular or preinstalled app and thus mislead users. |
|
The user would need to add the app to their home screen pro-actively, so when they are on Banana Game with a [🍌] icon and they try to add it and it suddenly says Facebook Messenger with a [💬] icon, they would notice there. |
|
So this API is only usable by installed/homescreen web apps? Not in the browser? |
In its current state, the spec leaves the user agent determine how, if, and when targets should be registered. The spec suggests different strategies that can be used to determine if the share target(s) should be registered: whether or not the web app is installed is one of them. Chrome's current implementation of the Web Share Target API requires the web app to be installed.
The spec also lists spoofing as a risk of "particular concern", and suggests that this risk is heightened when the user agent doesn't require the web app to be installed. |
|
@othermaciej I have opened w3c/web-share-target#109 asking if some sort of installation ceremony should be made obligatory by the spec. In practice, the API in its current implementation in Chromium already requires apps to be installed for it to have an effect. |
Ideally there should be not just an identification of the risk but also something in the spec (even if just a suggestion) to mitigate it. The risk is also heightened if it's possible for a web app's name or icon to change post-install (without user confirmation). |
|
Regarding changing icons and/or name: both are considered security-sensitive and the spec mandates UAs make users aware of such changes. |
marcoscaceres
added
concerns: security
|
This is a DRAFT POSITION and does not represent the consensus of the WebKit community. However, unless anyone objects by Friday 16th of November 2022, we will make the below the "official position". Please feel free to object or requests more time if needed. Please expressed support through the thumbs up reaction or additional comments (no +1 comments please!).
|
|
Thanks for your position, @marcoscaceres! If the spec were to hard-require installation (i.e., Add to Home Screen on iOS/iPadOS) of an app before it can appear as a Web Share Target, would that possibly move your position more toward positive? |
|
Personally, I still think we need to think about this more in the Web Community at large. I'm personally worried about creating an "installed web" and a regular web: where some things only work if an app is installed. We should avoid that as much as possible, though it may be unavoidable in this case. Having said that, "neutral" shouldn't be seen as negative. Maybe with a bit of work, Web Apps WG can turn it into something worth "support"ing? |
|
Closing as we've identified our position. |
Request for position on an emerging web specification
Information about the spec
Design reviews and vendor positions
Bugs tracking this feature
Anything else we need to know
Summary: While the Web Share API allows browsers to make use of the operating system's native "share" mechanism in web-to-native contexts, the Web Share Target API intent is to enable web-to-web and native-to-web sharing scenarios.
What is WebKit's position on this spec?
The text was updated successfully, but these errors were encountered: