Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MiniApp Lifecycle #523

Open
QingAn opened this issue Jun 10, 2020 · 26 comments
Open

MiniApp Lifecycle #523

QingAn opened this issue Jun 10, 2020 · 26 comments
Assignees
Labels
Progress: pending external feedback The TAG is waiting on response to comments/questions asked by the TAG during the review Review type: CG early review An early review of general direction from a Community Group Topic: Mini Apps Venue: MiniApps CG

Comments

@QingAn
Copy link

QingAn commented Jun 10, 2020

Hello TAG!

I'm requesting a TAG review of MiniApp Lifecycle.

This is the first proposal from the MiniApps Ecosystem Community Group. This is a proposal for a new Web API for MiniApp lifecycle to manage the lifecycle events of both global MiniApp application lifecycle and each MiniApp page’s lifecycle. MiniApp is composed of two layers, app layer and page layer. Therefore, MiniApp lifecycle contains application lifecycle and page lifecycle.

Further details:

  • [*] I have reviewed the TAG's API Design Principles
  • The group where the incubation/design work on this is being done (or is intended to be done in the future): MiniApps Ecosystem Community Group
  • The group where standardization of this work is intended to be done ("unknown" if not known): unknown
  • Existing major pieces of multi-stakeholder review or discussion of this design:
  • Major unresolved issues with or opposition to this design:
  • This work is being funded by:

You should also know that...
We'd prefer the TAG provide feedback as (please delete all but the desired option):

🐛 open issues in our GitHub repo for each point of feedback

@QingAn QingAn added Progress: untriaged Review type: CG early review An early review of general direction from a Community Group labels Jun 10, 2020
@torgo torgo added this to the 2020-06-15-week milestone Jun 10, 2020
@torgo torgo self-assigned this Jun 10, 2020
@cynthia
Copy link
Member

cynthia commented Jun 16, 2020

Have you folks https://wicg.github.io/page-lifecycle/ seen this? It feels like there might be duplicate work happening.

Putting that aside, I'm not quite sure about the utility of being able to access the fragments from the URI - shouldn't that be available through location?

(Our position regarding miniapp specific URIs still stands.)

@QingAn
Copy link
Author

QingAn commented Jul 3, 2020

Have you folks https://wicg.github.io/page-lifecycle/ seen this? It feels like there might be duplicate work happening.

Yes, we have looked at this doc. Since this doc only applies for page lifecycle, not at app-level. Therefore, we think it is necessary to define both app-level and page-level lifecycle.

@cynthia
Copy link
Member

cynthia commented Sep 24, 2020

What is the "worker" in this lifecycle? It doesn't seem like it's a service worker, nor a web worker. Is this a new kind of worker?

@torgo
Copy link
Member

torgo commented Sep 24, 2020

Can you please give us an update on this one and let us know current status?

@plinss plinss removed this from the 2020-09-21-F2F-Cork milestone Oct 14, 2020
@xfq
Copy link
Contributor

xfq commented Nov 16, 2020

For the relationship between MiniApp Lifecycle and related work in W3C, you can see a simple comparison here. I have also filed a few issues asking for clarification.

For the definition of worker, I think it means the "logic layer" in https://xfq.github.io/miniapp-comparison/#overview (it's my personal notes about some of the technical differences between MiniApps and web apps).

For the current status, the CG (and/or proposed WG) plans to provide a mapping to existing Web specifications such as Service Workers and Page Visibility whenever possible. It is mentioned in the draft WG charter: https://w3c.github.io/miniapp/charters/wg-2020.html#rec-track

@xfq
Copy link
Contributor

xfq commented Aug 23, 2021

FYI - the MiniApps Working Group has been chartered and this spec has been published (as a Working Draft on /TR).

@torgo
Copy link
Member

torgo commented Sep 16, 2021

Hi @xfq – We're just reviewing in the TAG virtual f2f today. A few things we noted:

  1. The mapping of Miniapp states to other w3c specs may be innacurate - in particular the mapping to service worker states.

  2. The lifecycle document doesn't reference Manifest at all. It was our understanding that Miniapps would use the manifest file with the Miniapp extensions and that doesn't seem to be referenced in the document.

  3. It doesn't look like you're referencing ServiceWorker either - is there a Miniapp state which makes use of ServiceWorker?

  4. When a Miniapp is launched what origin can it be said to have, with regard to the web's security model? That would seem to be important from a lifecycle point of view.

We also note that the Page Lifecycle document that you point to as comparison is out of date and itself needs to be updated (in particular to reflect installation via Manifest, which is missing).

We think it's worth considering whether these lifecycle efforts (MiniApps, web pages, PWA) could be consolidated or brought together in some way.

@QingAn
Copy link
Author

QingAn commented Sep 22, 2021

Thanks for the feedback. I have one question about the comment 1, hope some further clarification.

  1. The mapping of Miniapp states to other w3c specs may be innacurate - in particular the mapping to service worker states.

Actually, in the current draft version, the mapping has not been defined yet. So I am not sure why the mapping "may be inaccurate". Or is the intention to add the mapping content?

@plinss plinss added this to the 2022-12-12-week milestone Dec 12, 2022
@ylafon
Copy link
Member

ylafon commented Feb 13, 2023

Hi, we reviewed Lifecycle again during our last F2F meeting.

For clarity, we'd like to separate the concerns we have in terms of priority.

  1. BLOCKER: Origin model

Looking at https://github.com/w3c/miniapp-lifecycle/blob/main/docs/explainer.md#miniapp-origin the definition of Origin is crucial for following the same-origin policy, to ensure that the page is in a secure context to enable APIs that are only available in such context.

On the Web, it is done cryptographically via TLS and OCSP. In app stores, native applications are using validation done by the app store (like universal link), but this is not a first-hand verification (see the point below about responsabilities of the intermediary).

Note that files contained in the package act as a local cache for content relative to the origin, and as such should be verifiable to ensure that the origin-model is applicable here, even if no HTTP request will ever reach the network but would always be dereferenced to the content of the mini app package.

  1. BLOCKER: Package can be modified by the intermediary

As there is no end-to-end cryptographically guaranteed scheme for validating the integrity of the package compared to what the content distributor originally shipped, the current proposal puts the users at the mercy of the app store to guarantee package integrity. We think this goes against the fundamental principles of the web and is a risk. A zero-trust model, such as what was introduced in signed exchanges would mitigate this.

There are notions about digital signatures in the response, but without knowing exactly when the signing happens by who, there isn't a guarantee that the content is as it came from the origin. If there is strong enforcement to guarantee that the signing is done at the point where it leaves the origin (or an equivalent first-party), this would be a way forward.

  1. ZIP

Just to be clear on this, this is more of an issue with regards to random traversal of the underlying content of a given payload. For smaller payloads, the codec used for packaging is not as critical, but for something as content-heavy as a game (which can easily grow up to hundreds of megabytes), requiring full download (due to the layout of a ZIP file) would result in a less-than-optimal user experience.

We are empathetic to the choice made here, but if there is a possibility for swapping this out to something that is friendlier to low-bandwidth environments (e.g. following the game example - you don't need stage 2 content of a game unless you actually reach stage 2, and there are no guarantees that the user will play that long) as saving on transmission is beneficial to the user. (It also allows for faster loading, even for users on performant networks.)

An alternative design would be to use Service Workers as a delivery mechanism, and keep the packages light - but this comes at a cost of complicating the developer experience. Alternatively one could argue this is doable with fetch(), but these are high-level alternative approaches one could take to move away from a monolithic package which is suboptimal with ZIP.

@QingAn
Copy link
Author

QingAn commented Feb 22, 2023

@ylafon I notice that the concerns are mostly related to the MiniApp Packaging specs or maybe MiniApp specs as a whole.

  1. BLOCKER: Origin model

Looking at https://github.com/w3c/miniapp-lifecycle/blob/main/docs/explainer.md#miniapp-origin the definition of Origin is crucial for following the same-origin policy, to ensure that the page is in a secure context to enable APIs that are only available in such context.

MiniApp Lifecycle explainer introduces one practice MiniApp platform vendors manage MiniApps. But it's not within scope of MiniApp Lifecycle. It's more like a broader topic which will be discussed in MiniApp WG.

  1. BLOCKER: Package can be modified by the intermediary
  1. ZIP

These two are related to MiniApp Packaging spec. I will deliver to spec editors to address.

@torgo
Copy link
Member

torgo commented Mar 21, 2023

Hi @QingAn - thanks for this. Please let us know if you need any input on w3c/miniapp#195 and we look forward to reviewing any outcomes.

@QingAn
Copy link
Author

QingAn commented Mar 21, 2023

@torgo We had an internal discussion this month and had some thinking and several possible proposals regarding TAG comment, especially the same origin issue. Now we are trying to solicit enough input from MiniApp vendors and document the converged proposal in GitHub issue.

With that said, MiniApp WG are still working on it. In this week WG call, we also are going to discuss this topic.

@torgo torgo modified the milestones: 2023-03-20-week, 2023-04-03-week, 2023-04-10-week Mar 23, 2023
@xfq
Copy link
Contributor

xfq commented Aug 28, 2023

Several rounds of discussions have been held among MiniApp vendors in the WG, and a solution to the above three concerns has been proposed: w3c/miniapp#195 (comment)

Any comment on this proposal?

@torgo
Copy link
Member

torgo commented Aug 29, 2023

Hi @xfq ! Thanks for this. We spent some time on our call today reviewing the proposal. It's clear this is going in the right direction and we very much appreciate the group addressing the TAG's concerns. We need to do a more thorough review and we will get back to you with a list of questions.

@torgo
Copy link
Member

torgo commented Feb 12, 2024

Just adding a note of correction here – we think at this point that we're waiting for a new proposal from the miniapp community regarding the packaging and security model. Please let us know if you need any feedback from TAG at this point.

@plinss plinss removed this from the 2024-02-26-week milestone Mar 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Progress: pending external feedback The TAG is waiting on response to comments/questions asked by the TAG during the review Review type: CG early review An early review of general direction from a Community Group Topic: Mini Apps Venue: MiniApps CG
Projects
None yet
Development

No branches or pull requests

7 participants