Isolated Web Apps
19 hours ago
- #chrome
- #web-development
- #security
- Isolated Web Apps (IWAs) provide a high-trust security model for web applications, enabling access to powerful APIs not safe for the 'drive by web'.
- IWAs are packaged, versioned, signed, and isolated from normal web browsing, running on a separate protocol (isolated-app://).
- To create an IWA, developers must generate signing keys, bundle their app into a Signed WebBundle (.swbn file), and test it using Chrome's IWA developer tools.
- IWAs enforce strict Content Security Policies (CSP) and cross-origin isolation to prevent security vulnerabilities and ensure trust.
- Permissions in IWAs are blocked by default and must be explicitly declared in the Web App Manifest's permissions_policy field.
- IWAs require a Web App Manifest with version and update_manifest_url fields, and updates are managed via a Web Application Update Manifest.
- Initially, IWAs can only be installed on Chrome Enterprise managed Chromebooks by administrators through the Admin panel.
- Extensions can interact with IWAs by declaring the IWA's origin in the extension's manifest under externally_connectable.