re: Will desktop #PWAs kill hybrid wrappers like electronjs? VIEW POST


No. Electron allows you to interface with the local computer system. Whereas PWAs still have a sandboxed model and more limited access. In fact one of the primary reasons to use a desktop app in the first place is to get that access you can't get from web apps. E.g. directly writing to printers, interfacing with running accounting software, etc. PWAs add access to a few more services, but is not a replacement for a desktop app.


I agree with this but how long until the sandbox widens so much that the differences aren't that important?


That I could not say. There is no technical reason why PWAs could not do everything desktop apps could do in the future.

One big concern is security. Compared to a compiled app, javascript is a much more exposed attack vector. Because a web app can inject arbitrary javascript in an ad-hoc manner. It is common for desktop apps to download data, but less so to download and execute new code. (This is normally a user-permitted process: installing updates or plugins. Otherwise it's probably malware.) Javascript only gets away with it because of sandboxed access. It would be possible to place restrictions on dynamic loading so that the PWA could have more unfettered access. E.g. Disable eval, disable adding script tags to the DOM, etc. Maybe even require all content has to be included and "compiled" into a single page.

The harder problem could be that browsers would need to develop cross-platform unified APIs to access hardware. That is a very large elephant to eat, and the browser would essentially become a virtual machine on top of the OS. Seems Chrome already had this inkling, but this level of standardization is still a ways off if something "better" doesn't supplant it in the meantime. (It is tech after all.)

There's a thing called csp which can disallow eval and script tags without a nounce

Interesting. I'd still like it better if browsers strictly disabled such things in PWAs instead of me having the capability to screw up the CSP headers.


I hope for a very long time.

If any website of some kind could have some APIs to directly have access to my filesystem, or some other thing on this level, I'd go further than what I'm already doing (basically blocking every 3rd party content except images) and completely block javascript.

In-browser code execution can already cause some serious damage, I can only imagine what would happen if the APIs were to be more low-level/broad, especially around advertisement and tracking.


Thanks for the thoughts @kasey. Agreed! If my app is limited to less hardware/machine level access, then is it clever to invest in PWAs??


Yes, I think it is wise to invest in PWAs. You basically get to reuse the same web skills, and add in a (comparatively) few PWA particulars. Although the caching bit can bite you. It is a big win for many kinds of apps to be installable and usable offline on mobile and desktop without having to pick up a completely different toolchain.


Agreed, I think PWAs have a long time until they catch up to desktop app functionality.

Code of Conduct Report abuse