Giter Site home page Giter Site logo

miniapp-packaging's Introduction

miniapp-packaging's People

Contributors

espinr avatar xfq avatar zhangyongjing avatar

Stargazers

Luis Ángel Maciel avatar NTGR8R avatar Sunghyun Cho avatar Ádám Jäger avatar NoBey avatar avatar avatar Ambit Tsai avatar xyxiao001 avatar okmttdhr, tada avatar coderyi avatar Gennaro Landolfi avatar Supra Wang avatar TengyuanZhang avatar

Watchers

Yves Lafon avatar Marc Prud'hommeaux avatar James Cloos avatar 张凯 avatar Dave Raggett avatar Ralph Swick avatar avatar Supra Wang avatar himorin / Atsushi Shimono avatar avatar avatar Hyeseong Kim avatar yo_na avatar Qing An avatar avatar

Forkers

espinr ternence isabella232 zhangyongjing supra-cn michaelwangzitao cola119 luisangelmaciel

miniapp-packaging's Issues

Can we consider epub as a package format?

Hi guys, I have been reading this spec recently and I think the mini app is an amazing idea (Yes I am user of some of the Wechat MiniApp as well).

Beside the whole concept of miniapp, I found this section very interesting to me https://www.w3.org/TR/mini-app-white-paper/#constructor

A MiniApp package is a compressed format (e.g. zip) archive, including:

I wonder if could consider epub as a container? or if you have explored already?

I am very interested in the possibility of using epub package since I am also co-chairing the publishing cg. If you would like to share the idea of mini app can we have some joint meeting to introduce mini-app to publishing cg?

Section 1.1 requires loading the entire app at once?

This issue is being filed as part of PING wide review.

Section 1.1. seems to require the runtime load all mini-app resources at once, instead of loading them as needed.

After retrieving the MiniApp ZIP container, the MiniApp user agent loads the static page templates, stylesheets, JavaScript files, and other resources into the cache, following a dereference and processing algorithm. These MiniApp resources will remain available in the cache until the next update, avoiding unnecessary network fetches.

This seems like it would be a very expensive choice, especially if the miniapp contains a lot of code or subpages that the user might never use. Is this needed? Are runtimes prohibited from loading resources on demand / lazing loading? If so, it might be worth reconsidering, since this seems an expensive option. If not, i suggest clarifying Section 1.1.

This is not a blocking privacy issue, but I'm mentioning it since it came up during the review

How/When to update MiniApps?

Raising issue per action 01 of CG meeting on Jun 17, where we discussed the issue w3c/miniapp-lifecycle#8 (Update mechanism of MiniApps).

Apart from the possible effects in terms of lifecycle (i.e., trigger events, change status) we commented that the update mechanisms of MiniApps might affect mainly the Packaging and Manifest specs.

The MiniApp Packaging spec includes an algorithm for fetching and processing the package. So, the update mechanism may affect this algorithm. So far, the user agent fetches the package and process it once. Should we include additional metadata (in the Manifest?) to indicate how/when to update the package?

The current package processing algorithm would finish when the MiniApp reaches the launched status, so we could extend the algorithm to update the package once the MiniApp is launched.

Comments?

Security and privacy considerations

I'm not a security expert, here are just a few security and privacy related considerations I can think of for the WG to discuss. We can split them into separate issues if needed.

Add a separate Privacy Considerations section

Per Privacy Reviews Guidelines, we need to have a Privacy Considerations section, separate from Security Considerations.

Some things we may want to add about security and privacy include:

Recommendations to MiniApp implementers

We can add some recommendations for MiniApp implementers, such as:

  • User agents should examine all vectors of attack from a MiniApp package and protect against them, such as attack of one MiniApp against another in the same user agent, or pretending to be another MiniApp or website in order to steal user information.

  • MiniApp user agents should also check the package for malicious scripts, links, remote resources, and so on.

  • User agents should isolate MiniApps from each other. On the same device, user A must not be able to read user B's data in the local storage; and different MiniApps must not read and write data in the local storage to each other.

  • Some MiniApp user agents may collect user data. We should recommend user agents to be clear about the data being collected and how it is used.

In addition, many MiniApp implementations (like 1 2 3 4) disallow dynamic code loading like eval and new Function as a defense mechanism to stop XSS attacks. Currently, it is not mentioned in the Scripting Resources section. Should we consider standardizing this?

Recommendations to MiniApp developers

Should we write some security and privacy recommendations related to the developer of MiniApps, such as using HTTPS when requesting resources?

Redundant definition about allowed filenames?

This issue is being filed as part of PING wide review.

A fair amount of this spec defines what characters can be used in filenames (Section 2.1.5.). This text seems highly redundant with existing text in other W3C notes and documents (for example, https://www.w3.org/TR/international-specs/#file_naming). If possible i suggest your spec not have its own rules for deciding which filenames are legal, and instead refer to other existing documents / specs

This is not a blocking privacy issue, but I'm mentioning it since it came up during the review

Consider the scalability of the MiniApp packaging format and method.

From the perspective of different browser usage scenarios and requirements, We should consider the scalability of the MiniApp packaging method.

Such as, the Chrome Browser needs the security of cross-domain resource access. The package specification of Web-Packaging is recommended, which makes more reliable signatures checking for offline resource access and sub-package loading (Fetch). WICG/webpackage

I suggest that the package structure specification of the MiniApp should consider the requirements of different packaging formats. Write a chapter to provide an extensible packaging mechanism. Through different packaging algorithms and format standards, packaging the development code into different formats, which can support the expansion of different file formats.

Using this way. the MiniApp Package will widely be distributed internationally and compatible with browsers.

Steps to configure the platform before launching a MiniApp

In the Packaging spec we are specifying the algorithms for processing a MiniApp. So far, the specification includes the first step for retrieving the package, the setup based on the manifest, and the initialization of the platform, before launching the MiniApp.

The Lifecycle specification defines MiniApp Initialization, and the event related to this status, launched. So, the processing algorithm should include this change in the global status. This global status means that the MiniApp initialization is completed, so we should indicate how this initialization is complete.

So far, the algorithm has a step the platform runtime preparation that contains:

  1. Verification of compatibility
  2. Start page identification
  3. Locale identification

Do we need other specific intermediate steps (or change the existing ones) to configure both the logic and the rendering engines before changing the global status to launched?

Add a section on accessibility?

Per MiniApps WG charter:

Each specification must contain a section on accessibility that describes the benefits and impacts, including ways specification features can be used to address them, and recommendations for maximizing accessibility in implementations.

RFC 2119 key words in accessibility considerations

https://w3c.github.io/miniapp-packaging/#sec-accessibility

The Accessibility Considerations section is non-normative, but contains many RFC 2119 key words. I think the best practice is to avoid using these key words in non-normative sections (and use them carefully in normative sections). We could consider changing this section to normative or changing the wording. I have bolded the relevant key words:

The MiniApp Packaging specification requires user agents to process the MiniApp container and its content to generate a user interface and a concrete behavior based on the internal resources (i.e., HTML, stylesheets, scripting, and others) and the configuration (i.e., manifest, app.ux). User agents must ensure that the user interface and rendered content after the package processing and load are perceivable and operable under all circumstances and in every potential scenario. User agents must enable the configuration of different stylesheets to adapt the appearance to the user’s requirements, also offer the possibility to configure and control the display and the orientation of windows and viewports, as required by some members of the manifest.json (MiniApp Manifest).

Although not specified in this document, it is recommended that user agents guarantee the accessibility aspects in the user interaction, like offering full keyboard access or support alternative input devices (if feasible) and enabling users to store the preference settings to facilitate interaction. MiniApp user agents and platforms should provide mechanisms for rendering and interacting with the application, facilitating the integration of assistive technology, and complying with applicable specifications and conventions, particularly the User Agent Accessibility Guidelines (UAAG) 2.0.

Case folding of the file names

https://w3c.github.io/miniapp-packaging/#file-names

All File Names within the same directory MUST be unique following case normalization as described in section 3.13 of [Unicode].

This sentence does not seem to be very clear. Please refer to Case Mapping and Case Folding and Additional Considerations for Case Folding in charmod-norm.

See https://w3c.github.io/epub-specs/epub33/core/#sec-container-filenames (and related PRs w3c/epub-specs#1648 and w3c/epub-specs#1692 ) for an example.

Streaming

Some implementations use a streaming format to download and load packages to optimize the MiniApp load time. Is it worth specifying?

As an example, ByteDance Mini Programs use their own ttpkg package format instead of a zip package, so they don’t need to wait for the complete package to be downloaded before they can load it.

(Sub-packaging is another feature that reduces loading time, and a MiniApp platform can implement both of them.)

[meta] Wide review tracker

As a requirement for transitioning to Candidate Recommendation the group:

MUST show that the specification has received wide review

To satisfy this requirement, we can use this tracker issue as evidence that wide review from horizontal groups has been received.

Split content and packaging?

The group is still discussing about the formats, document definition and manipulation (see issue #2)... In my opinion, the specification of the content (templating/binding/DOM manipulation) should be outside the Packaging spec (as its name indicates, it's just about the "envelope" and the processing of it). In any case, we should indicate the type of files and resources.

So, my question is if we should propose a new deliverable that complements the UI Components spec to describe the content of a MiniApp. So the packaging can be described in a generic way (structure and ZIP format), and the "MiniApp Content" specification may define how a MiniApp page is created in terms of:

  • HTML content documents (HTML profile with the supported elements, extension of those we need to extend, or the XML application profile needed)
  • CSS stylesheets (CSS profile since not all modules are supported, CSS extensions like -miniapp-orientation, -miniapp-page-width,...)
  • Scripting documents (including the considerations in the Event Model)
  • Templating (perhaps as a normative section)
  • UI Components (link to the UI components document)
  • APIs and Services (APIs supported)

This is something similar to the approach followed by the EPUB group. Since it is not part of the charter, I suppose we need to start it from the CG.

Opinions?

Refer to BCP 47

https://w3c.github.io/miniapp-packaging/#sec-miniapp-i18n

The link to and name of BCP 47 was created specifically so that there is an unchanging reference to the definition of language tags. RFC4646 and RFC4647 are not the recommended method to refer to IETF language tags.

BCP 47 contains one RFC dedicated to the syntax and subtags of language tags, and another dedicated to specify items in a user's list of language preferences.

Privacy considerations section requires users to manage storage

This issue is being filed as part of PING wide review.

The privacy considerations section seems to prohibit implementations from deleting or clearing user storage.

End-users MUST decide whether to remove the information stored by the user agent, corresponding to any MiniApp instance.

Since this information can include user identifiers and other sensitive information (depending on the purpose of the MiniApp), this seems to prevent implementors from taking steps to limit the lifetime of these stored identifiers (or take other steps on behalf of users to improve user privacy). Requiring users, and only users, to manage what data is stored on their device seems to place a significant responsibility on users to understand the risks and usefulness of long term (and possibly rarely accessed data) which seems to invite possible harm. It seems equivalent to preventing browsers, for example, from clearing long-lived cookies or other similar interventions.

More broadly, I urge the group to revise this text, so that privacy-focused implementations can take steps on behalf of users to protect user privacy, especially in cases where users may be poorly equipped to manage (or even understand) the data themselves.

If the above is not possible, it would be useful to understand why

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.