From c08a7974afa5296cb929d4f018520692ffb96c3f Mon Sep 17 00:00:00 2001 From: Niklas Merz Date: Mon, 6 Jul 2026 21:45:36 +0200 Subject: [PATCH 1/4] first skeleton --- index.bs | 136 +++++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 123 insertions(+), 13 deletions(-) diff --git a/index.bs b/index.bs index 199421f..57fb6bd 100644 --- a/index.bs +++ b/index.bs @@ -12,6 +12,24 @@ Abstract: Documention on how WebViews diverge conceptually from security concepts, user agent duties and practices defined for browsers. Markup Shorthands: markdown yes +Boilerplate: conformance no +Status Text: + This report was published by the [WebView Community Group](https://www.w3.org/community/webview/). It is not a W3C Standard nor is it on the W3C Standards Track. Please note that under the [W3C Community Contributor License Agreement (CLA)](https://www.w3.org/community/about/agreements/cla/) there is a limited opt-out and other conditions apply. Learn more about [W3C Community and Business Groups](https://www.w3.org/community/). + + This is a living document and does not intend to be exhaustive. + + GitHub Issues are preferred for discussion of this report. + + +
+{
+    "USAGE-AND-CHALLENGES": {
+        "authors": ["WebView Community Group"],
+        "href": "https://webview-cg.github.io/usage-and-challenges",
+        "title": "WebView: Usage Scenarios and Challenges",
+        "status": "Draft Community Group Report"
+    }
+}
 
@@ -28,12 +46,12 @@ This report documents how WebViews diverge conceptually from security concepts, # Rationale # {#rationale} -The TAG Web User Agents Finding states the key claim for user agents as software components : +The [[web-user-agents inline]] finding by the [TAG](https://tag.w3.org/) states the key claim for user agents as software components : > WebView libraries are *not* user agents on their own and do not implement the user-agent duties; > the **embedding application inherits the duties if it acts as a user agent**, and "developers need to take extra care … when using a non-user-agent WebView to implement an in-app browser." -It does not say *how*. This document is the cross-vendor, mechanism-level account of how a WebView configuration causes the embedding app to succeed or fail at each duty. +It does not say *how*. This document is the mechanism-level account of how a WebView configuration causes the embedding app to succeed or fail at each duty. # Scenario / Configuration # {#configuration} @@ -41,7 +59,24 @@ WebViews can be used in many different ways but one very typical configuration h **A host app embeds web content and exposes a native bridge.** -Note: TODO Details +
+ + + +
+ +# Terminology # {#terminology} + +
+ +* Host app +* [[USAGE-AND-CHALLENGES#webviews|WebViews]] +* [[USAGE-AND-CHALLENGES#types-of-webviews|Types of WebViews]] + +
# Diagrams # {#diagrams} @@ -66,13 +101,71 @@ Looking at the duties, design principles and threat model we can list areas wher If users have a realistic expectation of safety, they can make informed decisions between Web-based technologies and other technologies. For example, users may choose to use a web-based food ordering page, rather than installing an app, since installing a native app is riskier than visiting a web page. -* **Host control over content (integrity)** -* **Same Origin Policy** -* **Sandbox / process isolation** -* **Transport**: TLS, mixed content -* **Permissions** -* **Storage** -* **Anti-Tracking** +### Host control over content (integrity) ### {#host-control-over-content} + +The host app can intercept and sometime rewrite requests and responses in the WebView. +WebViews sometimes also can register their own custom schemes. + +
+ + + + + + + + + + + + + + + + + + + + + +
PlatformAPINotes
AndroidWebViewAssetLoader
iOS, macOSWKURLSchemeHandler
+ +
+ +### Same Origin Policy ### {#same-origin-policy} + +WebView APIs let the host app inject and execute JavaScript and CSS into an site regardless of the origin policy. + +### Sandbox / process isolation ### {#sandbox-process-isolation} + +Issue(#2): How does sandboxing and process isolation work in WebViews? + +### Transport: TLS, mixed content ### {#transport} + +The host app can change TLS settings without the user noticing. + +### Permissions ### {#permissions} + +Web permissions like location are handled by the host app and not through user interfaces provided by the browser. +The host app can silently allow or dismiss permission requests from web pages. + +### Storage ### {#storage} + +
+ +[[USAGE-AND-CHALLENGES#dfn-browser-like|Browser-like WebViews]] usually share their state with the systems browser. + +[[USAGE-AND-CHALLENGES#dfn-fully-fledged|Fully-fledged WebViews]] usually have their own storage scoped to the app. + +
+ +WebViews provide APIs to create "CookieStores" that let the host app developer decide how state is shared between WebView instances. + +### Anti-Tracking ### {#anti-tracking} + +The user has usually no way to configure anti-tracking measures. The host app might or might not be able to handle anti-tracking. +So there is no transparency to the user if their browsing is protected by anti-tracking technology. +WebViews have no UI to inspect how cookies are blocked. ## Honesty ## {#honesty} @@ -82,9 +175,26 @@ Users depend on trusted user interfaces such as the address bar, security indica to understand who they are interacting with and how. These trusted user interfaces must be able to be designed in a way that enables users to trust and verify that the information they provide is genuine, and hasn’t been spoofed or hijacked by the website. -* **Trusted UI / visible origin** -* **Security/permission indicators** +### Trusted UI / visible origin ### {#trustedui} + +The user usually cannot see the origin and TLS status in full screen WebViews. + +### Security/permission indicators ### {#permission-indicators} + +The host app has control of permission prompts or UI if elevated privilegdes are used. + +
+Using a WebView where the host app can intervene for a OAuth flow is discouraged +
# Comparison Table # {#comparison} -Issue(#1): Compare WebView implementations and show examples \ No newline at end of file +Issue(#1): Should we add WebView implementations and show examples? + +# Best practices # {#best-practices} + +Practical advice to follow when using WebViews. + +## Pick the correct type ## {#type} + +No OAuth \ No newline at end of file From 70c0548a074903f3f3ed753af0a0cd2b85918517 Mon Sep 17 00:00:00 2001 From: Niklas Merz Date: Mon, 6 Jul 2026 22:09:28 +0200 Subject: [PATCH 2/4] add very bad diagram --- diagrams/WebView-Basic.drawio | 68 +++++++++++++++++++++++++++++++++++ diagrams/WebView-Basic.svg | 4 +++ index.bs | 15 ++++---- 3 files changed, 80 insertions(+), 7 deletions(-) create mode 100644 diagrams/WebView-Basic.drawio create mode 100644 diagrams/WebView-Basic.svg diff --git a/diagrams/WebView-Basic.drawio b/diagrams/WebView-Basic.drawio new file mode 100644 index 0000000..8712cb3 --- /dev/null +++ b/diagrams/WebView-Basic.drawio @@ -0,0 +1,68 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/diagrams/WebView-Basic.svg b/diagrams/WebView-Basic.svg new file mode 100644 index 0000000..bc88b66 --- /dev/null +++ b/diagrams/WebView-Basic.svg @@ -0,0 +1,4 @@ + + + +
Host App
WebView
Origin

Web Content
JavaScript Bridge
Permissions
Storage
Storage
\ No newline at end of file diff --git a/index.bs b/index.bs index 57fb6bd..81834ee 100644 --- a/index.bs +++ b/index.bs @@ -80,14 +80,15 @@ WebViews can be used in many different ways but one very typical configuration h # Diagrams # {#diagrams} -Note: TODO: Basic diagram in preparation for threat model, Use the DSL? +Note: TODO: More diagrams in preparation for threat model. -
-T: /*
-ZeroOrMore:
-  N: anything but * followed by /
-T: */
-
+
+ +The host app contains the WebView, which contains the origin's web content. The host app reaches into the origin via a JavaScript bridge, and also mediates permissions requested by the origin. + +
The host app can inject script into the origin loaded in the WebView via a native bridge, crossing a boundary that browsers otherwise protect.
+ +
# Duties # {#duties} From ce8f79ef8cc496f892949ade09d0bcf729f5f9f4 Mon Sep 17 00:00:00 2001 From: Niklas Merz Date: Mon, 6 Jul 2026 22:15:30 +0200 Subject: [PATCH 3/4] updae publish workflow --- .github/workflows/auto-publish.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/auto-publish.yml b/.github/workflows/auto-publish.yml index d32a02d..1f4cd5b 100644 --- a/.github/workflows/auto-publish.yml +++ b/.github/workflows/auto-publish.yml @@ -1,7 +1,6 @@ # Create a file called .github/workflows/auto-publish.yml -name: CI +name: Build on: - pull_request: {} push: branches: [main] jobs: From 4db3237567c28e75f5df41c4c7d6dc6ab3c12be9 Mon Sep 17 00:00:00 2001 From: Niklas Merz Date: Mon, 6 Jul 2026 22:16:43 +0200 Subject: [PATCH 4/4] why two workflows --- .github/workflows/auto-publish.yml | 3 ++- .github/workflows/pr.yml | 16 ---------------- 2 files changed, 2 insertions(+), 17 deletions(-) delete mode 100644 .github/workflows/pr.yml diff --git a/.github/workflows/auto-publish.yml b/.github/workflows/auto-publish.yml index 1f4cd5b..d32a02d 100644 --- a/.github/workflows/auto-publish.yml +++ b/.github/workflows/auto-publish.yml @@ -1,6 +1,7 @@ # Create a file called .github/workflows/auto-publish.yml -name: Build +name: CI on: + pull_request: {} push: branches: [main] jobs: diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml deleted file mode 100644 index ceae65c..0000000 --- a/.github/workflows/pr.yml +++ /dev/null @@ -1,16 +0,0 @@ -name: PR Validation -on: - pull_request: {} -jobs: - main: - name: Build and Validate - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v5 - - uses: w3c/spec-prod@v2 - with: - TOOLCHAIN: bikeshed - VALIDATE_WEBIDL: false - VALIDATE_INPUT_MARKUP: false - VALIDATE_MARKUP: false - BUILD_FAIL_ON: nothing \ No newline at end of file