re: Will desktop #PWAs kill hybrid wrappers like electronjs? VIEW POST

re: I agree with this but how long until the sandbox widens so much that the differences aren't that important?

That I could not say. There is no technical reason why PWAs could not do everything desktop apps could do in the future.

One big concern is security. Compared to a compiled app, javascript is a much more exposed attack vector. Because a web app can inject arbitrary javascript in an ad-hoc manner. It is common for desktop apps to download data, but less so to download and execute new code. (This is normally a user-permitted process: installing updates or plugins. Otherwise it's probably malware.) Javascript only gets away with it because of sandboxed access. It would be possible to place restrictions on dynamic loading so that the PWA could have more unfettered access. E.g. Disable eval, disable adding script tags to the DOM, etc. Maybe even require all content has to be included and "compiled" into a single page.

The harder problem could be that browsers would need to develop cross-platform unified APIs to access hardware. That is a very large elephant to eat, and the browser would essentially become a virtual machine on top of the OS. Seems Chrome already had this inkling, but this level of standardization is still a ways off if something "better" doesn't supplant it in the meantime. (It is tech after all.)

There's a thing called csp which can disallow eval and script tags without a nounce

Interesting. I'd still like it better if browsers strictly disabled such things in PWAs instead of me having the capability to screw up the CSP headers.

code of conduct - report abuse