Isolated Web Apps (IWAs)

Isolated Web Apps (IWAs) are a security-focused evolution of Progressive Web Apps (PWAs), designed to offer stronger protection against server compromises and tampering. They differ from traditional web apps by not being hosted on live web servers or fetched over HTTPS. Instead, IWAs are packaged into Web Bundles, which are signed by the developer. This method ensures the app’s integrity and prevents tampering during distribution.

Isolated Web Apps are particularly useful for developers creating security-sensitive applications, where the threat of the main server being compromised is a significant concern. These apps extend existing technologies like Web Packaging and Content Security Policies (CSP) to provide an extra layer of defense against vulnerabilities such as cross-site scripting (XSS), resource tampering, and malicious code injection from compromised servers. Unlike standard web apps, IWAs address a threat model that goes beyond the scope of traditional security mechanisms.

In their current phase, IWAs can only be installed on enterprise-managed ChromeOS devices via the IsolatedWebAppInstallForceList policy. This ensures that only trusted and signed applications are deployed on managed devices, further bolstering securityhttps://gotochrome.com/chrome-os/ in enterprise environments.

Isolated Web Apps (IWAs) Key Concepts

• Web Bundles: A new packaging format that allows IWAs to be distributed as a single, signed package. This eliminates the need for live web servers, making the apps more secure against server-side attacks.
• Content Security Policies (CSP): IWAs leverage CSP to protect against XSS attacks by limiting what scripts and resources the app can execute or load.
• Transport Layer Security (TLS) & Subresource Integrity (SRI): While TLS and SRI ensure resources are securely transmitted and not tampered with, IWAs extend these protections to cover scenarios where the main application server itself could be compromised.

IWAs Motivation

The push for Isolated Web Apps (IWAs) stems from the limitations of existing security policies. For security-sensitive applications—like those migrating from Chrome Apps or Electron—the possibility of the main application server being compromised poses a major threat. Existing mechanisms like TLS, SRI, and CSP protect against many threats but not the server itself serving malicious content. IWAs offer a solution by moving the app hosting off the server and into a signed package distributed via secure channels.

Development and Debugging:

Although IWAs build on familiar web technologies, they introduce stricter policies that can make debugging a bit more complex. The existing tools for debugging PWAs and Web Bundles will still apply, but additional diagnostics are being considered to help developers understand when their app is misbehaving due to the stricter policies.

Compatibility and Interoperability:

IWAs are still in the early stages of development and have not yet been implemented across all browsers. Currently, there is no signal of support from Gecko (Firefox) or WebKit (Safari). However, the concept only applies to installed web apps, so it does not affect WebViews, which are used in many mobile applications.

IWAs Risks

Isolated Web Apps (IWAs) do not deprecate or alter the behavior of existing APIs. Since they are limited to installed web apps, they won’t impact traditional web app models or WebViews.

Future Milestones

As the feature is still in its early stages (explainer stage), there are no defined milestones yet. Development is currently focused on implementing the necessary infrastructure in Blink and Chrome, with a possible developer mode similar to Chrome Extensions expected in the future.

Flag for Developers:
Developers can use the --isolated-app-origins flag to enable isolation when installing a web app during development. The future implementation will more closely mirror how Chrome Extensions development works, providing a “developer mode” for IWAs.

Summary

In short, IWAs are a groundbreaking step for developers who need more robust security for their web apps. By moving away from the traditional model of live server hosting, IWAs offer a more secure, packaged approach that reduces risks posed by server-side attacks. Although still in the early stages, this technology represents a significant advancement for web application security.