Isolated Web Apps (IWAs)

Total
0
Shares
Isolated Web Apps

Isolated Web Apps (IWAs) are a security-focused evolution of Progressive Web Apps (PWAs), designed to offer stronger protection against server compromises and tampering. They differ from traditional web apps by not being hosted on live web servers or fetched over HTTPS. Instead, IWAs are packaged into Web Bundles, which are signed by the developer. This method ensures the app’s integrity and prevents tampering during distribution.

Isolated Web Apps are particularly useful for developers creating security-sensitive applications, where the threat of the main server being compromised is a significant concern. These apps extend existing technologies like Web Packaging and Content Security Policies (CSP) to provide an extra layer of defense against vulnerabilities such as cross-site scripting (XSS), resource tampering, and malicious code injection from compromised servers. Unlike standard web apps, IWAs address a threat model that goes beyond the scope of traditional security mechanisms.

In their current phase, IWAs can only be installed on enterprise-managed ChromeOS devices via the IsolatedWebAppInstallForceList policy. This ensures that only trusted and signed applications are deployed on managed devices, further bolstering securityhttps://gotochrome.com/chrome-os/ in enterprise environments.

Isolated Web Apps (IWAs) Key Concepts

  • Web Bundles: A new packaging format that allows IWAs to be distributed as a single, signed package. This eliminates the need for live web servers, making the apps more secure against server-side attacks.
  • Content Security Policies (CSP): IWAs leverage CSP to protect against XSS attacks by limiting what scripts and resources the app can execute or load.
  • Transport Layer Security (TLS) & Subresource Integrity (SRI): While TLS and SRI ensure resources are securely transmitted and not tampered with, IWAs extend these protections to cover scenarios where the main application server itself could be compromised.

IWAs Motivation

The push for Isolated Web Apps (IWAs) stems from the limitations of existing security policies. For security-sensitive applications—like those migrating from Chrome Apps or Electron—the possibility of the main application server being compromised poses a major threat. Existing mechanisms like TLS, SRI, and CSP protect against many threats but not the server itself serving malicious content. IWAs offer a solution by moving the app hosting off the server and into a signed package distributed via secure channels.

Development and Debugging:

Although IWAs build on familiar web technologies, they introduce stricter policies that can make debugging a bit more complex. The existing tools for debugging PWAs and Web Bundles will still apply, but additional diagnostics are being considered to help developers understand when their app is misbehaving due to the stricter policies.

Compatibility and Interoperability:

IWAs are still in the early stages of development and have not yet been implemented across all browsers. Currently, there is no signal of support from Gecko (Firefox) or WebKit (Safari). However, the concept only applies to installed web apps, so it does not affect WebViews, which are used in many mobile applications.

IWAs Risks

Isolated Web Apps (IWAs) do not deprecate or alter the behavior of existing APIs. Since they are limited to installed web apps, they won’t impact traditional web app models or WebViews.

Future Milestones

As the feature is still in its early stages (explainer stage), there are no defined milestones yet. Development is currently focused on implementing the necessary infrastructure in Blink and Chrome, with a possible developer mode similar to Chrome Extensions expected in the future.

Flag for Developers:
Developers can use the --isolated-app-origins flag to enable isolation when installing a web app during development. The future implementation will more closely mirror how Chrome Extensions development works, providing a “developer mode” for IWAs.

Summary

In short, IWAs are a groundbreaking step for developers who need more robust security for their web apps. By moving away from the traditional model of live server hosting, IWAs offer a more secure, packaged approach that reduces risks posed by server-side attacks. Although still in the early stages, this technology represents a significant advancement for web application security.

Join Our Newsletter
Get weekly access to our best recipes, kitchen tips, and updates.
Leave a Reply
You May Also Like
Gx

Password Managers

Password managers are browser extensions or dedicated applications that help users securely store, manage, and autofill passwords for various online accounts. These tools enhance security and convenience by eliminating the…
View Post
chromedownload

Extension Security and Privacy

Security and privacy considerations are crucial aspects of browser extension development, ensuring that user data is protected and handled responsibly. These considerations involve implementing measures to safeguard user information, prevent…
View Post
Google Chrome for Windows 11

DevTools Extensions

DevTools extensions, also known as DevTools plugins or DevTools add-ons, are small pieces of software that extend the functionality of web browsers’ developer tools. These extensions enhance the capabilities of…
View Post
chrome old version

Version Control

Version control is a system used in software development to manage and track changes to a product’s code over time. It involves assigning unique version numbers or labels to different…
View Post
Google Chrome for Windows 11

Extension Sync

Extension sync, short for synchronization, refers to the process of synchronizing data and settings across multiple devices for a browser extension. It ensures that users have a consistent experience with…
View Post
chrome old version

Microsoft Edge WebView2

Microsoft Edge WebView2 is a control that allows developers to embed web technologies, such as HTML, CSS, and JavaScript, within native applications. Leveraging the power and capabilities of the Microsoft…
View Post