You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have read the explainer (and a number of other discussions linked out to), but I am still left wanting a deeper understanding of one aspect of the security restrictions inherent in this design:
If a web application is packaged as a PWA, and offered to the user to be installed, and if that user is even given a permissions prompt asking about enhanced networking... why wouldn't that be sufficient protection to allow such an app to make direct socket (UDP, specifically) connections with arbitrary hosts (like peers)?
And further, if this is locked down into the "IWA" bundled web app mode... why then would such a web app only be allowed to make such connections back to one specific origin server? Why wouldn't such an app be allowed, even through user controlled permissions, to make direct connections (again, UDP) with arbitrary hosts (like peers)?
Why shouldn't such an app be able to do do P2P communications (such as like chat or file sharing), just because it was built with JS... but if I take the same app (in web+JS tech), and wrap a tiny native shell wrapper around it, I am able expose UDP networking to the app, and that's somehow inherently more safe?
I'm just trying to understand what specifically is preventing web-only installed apps (of any flavor or permission-prompt gate) from being able to securely do such communications?
Is the only difference that any native app shell wrapper would ostensibly have gone through an "app store review", whereas there's no centralized review of installable web-only app packages?
The text was updated successfully, but these errors were encountered:
I have read the explainer (and a number of other discussions linked out to), but I am still left wanting a deeper understanding of one aspect of the security restrictions inherent in this design:
If a web application is packaged as a PWA, and offered to the user to be installed, and if that user is even given a permissions prompt asking about enhanced networking... why wouldn't that be sufficient protection to allow such an app to make direct socket (UDP, specifically) connections with arbitrary hosts (like peers)?
And further, if this is locked down into the "IWA" bundled web app mode... why then would such a web app only be allowed to make such connections back to one specific origin server? Why wouldn't such an app be allowed, even through user controlled permissions, to make direct connections (again, UDP) with arbitrary hosts (like peers)?
Why shouldn't such an app be able to do do P2P communications (such as like chat or file sharing), just because it was built with JS... but if I take the same app (in web+JS tech), and wrap a tiny native shell wrapper around it, I am able expose UDP networking to the app, and that's somehow inherently more safe?
I'm just trying to understand what specifically is preventing web-only installed apps (of any flavor or permission-prompt gate) from being able to securely do such communications?
Is the only difference that any native app shell wrapper would ostensibly have gone through an "app store review", whereas there's no centralized review of installable web-only app packages?
The text was updated successfully, but these errors were encountered: