FDC3 for Web Browsers Discussion group 10th Aug 2023

[kriswest]

Group overview

Group convened to discuss how to enable FDC3 use in a web browser, without the use of a browser extension (such as fdc3-desktop-agent or a container).

Issue: #896
Mailing list discussion: https://groups.google.com/a/finos.org/g/fdc3/c/jCvlLjokBLs

In a recent email on the FDC3 mailing list, @kriswest wrote:

... I also want to add that there is clearly significant interest in the community in enabling FDC3 use on the web. There is a strong use case in that it would enable better onboarding journeys with less drop-off (where you use an app on the web with others before adopting a desktop container or similar).

and:

But there are also additional challenges such as how to make the API available reliably without importing a proprietary module from a particular vendor into every app, how to deal with more than one implementation of API/Desktop Agent in the browser at once, how to do this reliably and securely within the browser sandbox etc.. Work needs to be done in the Standard to solve these issues and to make web browser use possible in a future FDC3 Standard version - which I believe is possible (and likely to involve using a vendor-agnostic FDC3 NPM module to detect and connect to API implementation(s)). However, we're going to need to do that work to enable the aforementioned API implementations to be compliant and if we fail to hold the line now on compliance with the current version of the FDC3 Standard, that may never happen.

Shared doc with current draft: https://tick42-my.sharepoint.com/:w:/g/personal/finsemble_datastore_interop_io/EZ0dfTCdRlJCnIF3C_1Oit0B7xK0OOJ0nAvC73dwad53AA?e=x2zlge

Relevant issue tags

Current open issues that relate to the above concepts with the label:

Meeting Date

Thursday 10 Aug 2023 - 11am EST / 4pm BST

WebEx info

• Meeting link: https://finos.webex.com/finos/j.php?MTID=mc297e9962d73ad18f6539745ce79abf9
• Meeting number: 2552 173 3304

More ways to join

• Join by video system:
  • Dial 25521733304@finos.webex.com
  • You can also dial 173.243.2.68 and enter your meeting number
• Join by phone
  • +1-415-655-0003 US Toll
  • +44-20319-88141 UK Toll
• Access code: 255 217 33304

Meeting notices

• FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.

• All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.

• FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact legal@finos.org with any questions.

• FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.

• A Discussion Group has no direct decision-making power regarding the FDC3 standard - rather it is intended that anything they propose or work on will result in proposals (via Github issues and PRs) for the Standards Working Group participants to consider and vote on for inclusion in the standard.

Agenda

• Convene & roll call, review meeting notices (5mins)
• Review action items and discussion from previous meeting (15mins)
  • FDC3 for Web Browsers Discussion group 27th July 2023 #1041
  • Recap of last discussion of identity validation
    • Usage in child window use case (use case 2)
    • Usage in independent window use case (use case 3)
    • Usage in micro-frontend-container use case (use case 4)
    • Is it needed in container use case (use case 1)
• Discuss an implementation proposal (20 mins)
• Review FINOS labs implementation first pass (15 mins)
• Adjourn

Minutes

• @kriswest provided a recap of the discussion last time on identity validation, the need for it and @pbaize's proposal for scoping app-provided identities via browser provided origins to make them more trust-worthy.
  • @novavi noted that there is still the issue of apps validating a Desktop Agent's identity to consider
    • @kriswest responded that this is also an issue in current FDC3 versions as well as Bridging and that it is not really worse in the Web Browser case. However, the app identity cases are worse in the Web Brwoser where address bars are available for user navigation and the DEsktop Agent can't simply query the current URL of another window (as it usually can in a container). However, it does bear further analysis and that this will be a key job for the Identity & Threat Modelling discussion group proposed to start-up in September
    • @kriswest asked for and received consent to proceed without addressing this issue and to export it to the Identity & Threat Modelling discussion group to look at - with this group providing some input.
• An overview of the proposal was provided by @kriswest (with thanks to @novavi and @robmoffat for help boiling it down from the discussion). Direct link to proposal
  • @novavi raised the issue of multi-hop messaging where a child window, launched by a parent desktop window, creates an iframe that is a different app. In such a situation the grandchild iframe might need to send a message to its parent and then have that relayed onto the parent window (DA).
    • This means that the origin in the message that reaches the Desktop Agent will be from the child window, rather than the grandchild iframe
    • However @novavi believes that you can in fact message direct from the grandchild to parent via window.parent.opener negating this issue - tested in Chrome. @robmoffat confirmed that he was able to do this in Safari as well.
• @robmoffat Provided and introduction to example implementation at https://github.com/finos-labs/fdc3-for-the-web
  • This is currently based on a dynamic script load (@kriswest commented that this is just a small part of a discovery solution - so a great start regardless), and demonstrates how a cross-vendor solution based on an Open Source access lib is definitely possible and hence desirable.
  • Several members of the group thanked @robmoffat for getting started on a reference implementation
• @kriswest requested that participants review the proposal and notes + first pass at implementation (which is not in sync with the notes yet!) and be ready to provide feedback, questions or agreement to proceed with the proposal at the next meeting, with the goal of moving towards implementation of a final solution ASAP.

Action Items

• @novavi Confirm whether messaging via window.parent.opener is supported in the HTML Standard (https://html.spec.whatwg.org/multipage/web-messaging.html) and all major browsers (Firefox has not been checked).
  • Further, Is it affected by navigation of the iframe?
• All: review proposal and @robmoffat's example Implementation (not yet perfectly mapped to the proposal but similar): https://github.com/finos-labs/fdc3-for-the-web ready to provide feedback or agree the proposal outline at the next meeting in September
• @kriswest Prepare a meeting agenda for next time that includes:
  • revisiting the proposal and example implementation for feedback.
  • decision of whether to include dynamic script includes (secured appropriately) or to remove them from the proposal.
  • Focus on next steps re: proposed documentation in the Standard and implementation (likely within the existing FDC3 NPM module, replacing the fdc3Ready function - to be agreed).

Untracked attendees

Full name	Affiliation	GitHub username

[novavi]

Derek Novavi / S&P Global

[openfin-johans]

Johan Sandersson / OpenFin 🎁

[kriswest]

Kris West / Interop.io 🚀

[pbaize]

Pierre Baize / OpenFin

[robmoffat]

Rob / FINOS 🌤️

[Julia-Ritter]

Julia / FINOS 🌊

[timjenkel]

Tim / Wellington

[cristiano-belloni]

Cristiano / UBS

[arpanoid]

Arpan / State Street

[robmoffat]

Example Implementation: https://github.com/finos-labs/fdc3-for-the-web

[kriswest]

@Yannick-Malins Please take a look at this meeting's minutes for input to the Identity & Threat modeling discussion group