Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Script tag extension for secure local computing #6541

Closed
ghost opened this issue Mar 29, 2021 · 2 comments
Closed

Script tag extension for secure local computing #6541

ghost opened this issue Mar 29, 2021 · 2 comments
Labels
addition/proposal New features or enhancements needs implementer interest Moving the issue forward requires implementers to express interest

Comments

@ghost
Copy link

ghost commented Mar 29, 2021
edited by ghost
Loading

Context

Developers and users need ways to securely and transparently do local computing and interact with local resources from within the browser, as indicated by the popularity of frameworks like Electron, NW.js, Chromium Embedded Framework and other webview runtimes.

Proposal

In the context of a web application, in the body of index.html hosted at: https://application.com, we could have a script tag extension for local computing via a secure javascript runtime, based on a "user-granted permissions" model such as the one enforced in Deno:

<script type="deno" src="index.js" allow-write="path/to/mydocumentfolder" 
allow-net="https://application.com"</script>

In the app manifest, permissions are explicitely declared so that the browser can request them to the user:

{
	"permissions": [
		{
			"deno": {
				"allow-write": "path/to/mydocumentfolder",
				"allow-net": "https://application.com"
			}
		}
	]
}

During the installation of the web application, the browser requests the user to grant the permissions explicitely present into the application manifest. In this case, it uses two permissions in order for the deno process to be able to write to a local folder and to allow network requests to a particular domain.

In the case the permissions are not granted by the user, the script would not run. In the case the user grants the necessary permissions, the script tag can then launch a local deno process in its own context, which would translate into the following command:

deno --allow-write=path/to/mydocumentfolder --allow-net=https://application.com https://application.com/index.js

If deno is not installed the script would just fail. If it is installed, the Deno process would launch and could then possibly communicate with the webpage through websockets, webtransport, etc.. effectively allowing a secure way (controlled by the end-user) to do local computing and to interact with local resources from within a web application.
@ghost ghost mentioned this issue Mar 29, 2021
Closed
@ghost
Copy link
Author

ghost commented Mar 30, 2021

Related in w3c/webappsec: Web Applications should not have internet access by default (#578)

@domenic domenic added addition/proposal New features or enhancements needs implementer interest Moving the issue forward requires implementers to express interest labels Mar 30, 2021
@domenic
Copy link
Member

domenic commented Apr 6, 2021

Closing per whatwg/fetch#1209 (comment).

@domenic domenic closed this as completed Apr 6, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
addition/proposal New features or enhancements needs implementer interest Moving the issue forward requires implementers to express interest
Milestone
No milestone
Development

No branches or pull requests
1 participant
@domenic