loading...

re: Will desktop #PWAs kill hybrid wrappers like electronjs? VIEW POST

TOP OF THREAD FULL DISCUSSION
re: No. Electron allows you to interface with the local computer system. Whereas PWAs still have a sandboxed model and more limited access. In fact one...
 

I agree with this but how long until the sandbox widens so much that the differences aren't that important?

 

That I could not say. There is no technical reason why PWAs could not do everything desktop apps could do in the future.

One big concern is security. Compared to a compiled app, javascript is a much more exposed attack vector. Because a web app can inject arbitrary javascript in an ad-hoc manner. It is common for desktop apps to download data, but less so to download and execute new code. (This is normally a user-permitted process: installing updates or plugins. Otherwise it's probably malware.) Javascript only gets away with it because of sandboxed access. It would be possible to place restrictions on dynamic loading so that the PWA could have more unfettered access. E.g. Disable eval, disable adding script tags to the DOM, etc. Maybe even require all content has to be included and "compiled" into a single page.

The harder problem could be that browsers would need to develop cross-platform unified APIs to access hardware. That is a very large elephant to eat, and the browser would essentially become a virtual machine on top of the OS. Seems Chrome already had this inkling, but this level of standardization is still a ways off if something "better" doesn't supplant it in the meantime. (It is tech after all.)

There's a thing called csp which can disallow eval and script tags without a nounce

Interesting. I'd still like it better if browsers strictly disabled such things in PWAs instead of me having the capability to screw up the CSP headers.

 

I hope for a very long time.

If any website of some kind could have some APIs to directly have access to my filesystem, or some other thing on this level, I'd go further than what I'm already doing (basically blocking every 3rd party content except images) and completely block javascript.

In-browser code execution can already cause some serious damage, I can only imagine what would happen if the APIs were to be more low-level/broad, especially around advertisement and tracking.

code of conduct - report abuse