From : Tim Berners-Lee < : Tim Berners-Lee < timbl@w3.org



Cc : public-webapps@w3.org , Thomas Roessler < tlr@w3.org >, "Michael(tm) Smith" < mike@w3.org >, TAG List < www-tag@w3.org

Message-Id : <6280764F-9877-40A7-A31B-F53F370C6524@w3.org>

To : Ian Hickson < : Ian Hickson < ian@hixie.ch



On 2012-01 -20, at 14:32, Ian Hickson wrote in http://lists.w3.org/Archives/Public/public-webapps/2012JanMar/0238.html : > On Fri, 20 Jan 2012, Tim Berners-Lee wrote: > [...] >> There of course places where XHR is used and there is no >> cross-sitescripting security needed >> >> 1) in a browser extension >> 2) in node.js code trusted apps > > These aren't the Web, so they're probably out of scope of the CORS and XHR > specs, but Anne can comment if he disagrees. :-) > > >> 3) in web apps when web apps can, in I hope the near future, be >> installed, and flagged as trusted code > > Personally I think the idea of "installing" a Web app is anathema. You may, but others have a need for it. The open web platform is a strong contender for apps which you write once run anywhere and end up being a better alternative, or quietly moving out, native apps on all kids of device. These apps have got to be able to completely act as agents trusted by the user, like for example - a web browser - a calendar client - an IMAP client and so on, none of these can you currently write as a web app, because of CORS. As a user when I install an app, I want to be able to give it access to a selection of: - Program storage, to a limit - Whether it is permanently available or downloaded or cached for a while - Access to RAM at runtime, to a limit - Access to the net, maybe to a bandwidth limit - CPU time when in background, to a limit - Ability to access anything on the web - Access to its own local storage up to a given limit - Access to shared local storage up to a given limit - Access to my location, as we currently allow an origin; - Access video and still camera, and sound - Access to other sensors such as temp, accelerometer, etc I want to be able to se where all my resources (including CPU, RAM, 'disk') on my laptop or tablet or phone are being used up, just like I do with music and movies. I want maybe a couple of default profiles for all the above. (I'll want to sync its local and shared data storage between all my devices too) If I can't give power to apps, then the web app platform cannot compete with native apps. I don't want the value of these setting to be the origin domain name of the script of the app, as that is too high a granularity. Note that when people talk about installation, they often immediately discuss packaging and manifest formats, which will need to be defined, and for which we might have more than one, but is not the crux of the issue -- the crux is allowing it access to precious and/or sensitive resources. Tim