design-reviews#1051: (brand new ✨) Web Install API

#1051: (brand new ✨) Web Install API

Opened Feb 17, 2025

Hola (again) TAG!

I'm requesting a TAG review of the Web Install API.

The Web Install API provides a way to democratise and decentralise web application acquisition, by enabling "do-it-yourself" developers to have control over the application discovery and distribution process, providing them with the tools they need to allow a web site to install a web app. This means end users have the option to more easily discover new applications and experiences that they can acquire with reduced friction.

Explainer¹: https://aka.ms/webinstall
Specification: N/A
WPT Tests:
User research:
Security and Privacy self-review²: here
GitHub repo: https://github.com/MicrosoftEdge/MSEdgeExplainers/blob/main/WebInstall/
Primary contacts:
- Diego Gonzalez(@diekus), Microsoft, Program Manager for Web Install API
Organization/project driving the specification:
- @MicrosoftEdge
Multi-stakeholder support³:
- Chromium comments:
- Mozilla comments: https://github.com/mozilla/standards-positions/issues/1179
- WebKit comments: https://github.com/WebKit/standards-positions/issues/463
- Developers:
  - https://github.com/w3ctag/ethical-web-principles/issues/120#issuecomment-2285348765
  - https://github.com/w3ctag/ethical-web-principles/issues/120#issuecomment-2285431557
Status/issue trackers for implementations⁴:
- https://chromestatus.com/feature/5183481574850560

Further details:

[ x ] I have reviewed the TAG's Web Platform Design Principles
Previous early design review, if any: #946/#888
Relevant time constraints or deadlines:
The group where the work on this specification is currently being done: W3C Web Applications WG
The group where standardization of this work is intended to be done (if different from the current group):
Major unresolved issues with or opposition to this specification:
This work is being funded by: @MicrosoftEdge

You should also know that...

This is an updated design based on previous reviews and feedback from multiple parties, including TAG. The design has been streamlined to be consistent across all calls.

Discussions

Comment by @zcorpan Feb 21, 2025 (See Github)

A comment on the self-review:

How does your feature handle non-"fully active" documents? This feature does not interact with non-"fully active" documents.

This should be considered when writing the spec. It's possible to have a reference to the navigator object of a non-"fully active" document, and call install() on it. It should probably do something like https://html.spec.whatwg.org/#dom-navigation-navigate step 3 and 7

Discussed Feb 24, 2025 (See Github)

Jeffrey: I left a comment saying "they haven't addressed"... I think we can postpone...

Dan: breakout on this at the f2f?

Jeffrey: their non-goals .. a bunch of capabilities around how you pick applications... Talking about the whole problem space makes sense... They are clearly looking at this whole space. Our perspective should be about the space.

Dan: they think they have addressed some of the concerns that we have raised...

Jeffrey: I could leave a comment asking them ...

Dan: Yes please...

jeffrey to leave comment

Comment by @jyasskin Feb 26, 2025 (See Github)

Hi! First, thank you for adjusting the proposal in response to some of our previous feedback, in particular removing install_sources and postponing navigator.getInstalledApps(). I don't see adjustments or explanations in response to some of the other comments:

The "Declarative install" alternative, which mentions <a target> doesn't mention our suggestion to consider rel.
The TAG felt like it was probably better for users if they can interact with the to-be-installed site before being asked if they want to install it. The Declarative Install alternative says that "Takes the user out of the current context." is a downside, but the TAG currently disagrees that that's a downside and would need to be convinced. What data have you collected that shows that it's bad for users to have to visit a website before installing it? A "peek" UI like https://resources.arc.net/hc/en-us/articles/19335302900887-Peek-Preview-Sites-From-Pinned-Tabs might also offer a way to get the best of both options.

We don't expect to review this again in detail before our comments from last time are more fully addressed.

Comment by @diekus Feb 27, 2025 (See Github)

Hola @jyasskin ✨

Thanks for your prompt review. I have modified the explainer to address the two points you mention are still pending, and I'd like to expand on them in this issue as well.

First and foremost, I want to express that I firmly believe that both solutions are desired. As stated in the explainer, we believe that a declarative implementation is a simple and effective solution, and should be considered as an additional method of installation in the future.

For the current solution, we want to go with an imperative implementation since it allows more control over the overall installation UX:

Allows the source to detect if an installation occurred with ease. (resolves/rejects a promise).
Supports install_url. The current reality of the web is such that some websites intentionally do not expose their manifest nor user experience until the user has authenticated. We believe that having the ability to offer an install_url (one where the only content may simply be a link to the manifest) is a key advantage for both developers and end-users. The declarative version does not cleanly support this concept (as a fallback navigation to an install_url that was specified as the href on non-supporting UA's might leave the user confusingly stranded on a blank page.
Code can be used to detect if an origin has permission to install apps (and/or if the UA supports the API at all), and UX can be tailored to change accordingly (for example, remove a button or display a link instead).
The developer ergonomics of handling a promise are better than responding to an a tag navigation.
Keeps the user in the context, which can be beneficial in certain scenarios (if the developer wants to take the user out of the current context, they can do so with a a tag).

Overall it gives developers more control to create really compelling UX experiences for end users, which are the ones that will benefit from frictionless app acquisition in the end.

Regarding the idea of a try-before-you-buy scenario, it's a really good call and great idea! I have added a section in the explainer as well to mention it. I do think that is an implementation detail, up to the UA. Some browsers might want to show a prompt, some a confirmation dialog, some might want to do a rich-install-prompt... and some might even load the app for the users to see before confirming that they want to install it! (like the neat link you sent about Arc's peek). All this is up to the browser and what they consider is the best UX to present to the user before installing an app.

I hope these points address your concerns and we can continue to discuss the Web Install feature!

Discussed Mar 31, 2025 (See Github)

dan summarizes

Jeffrey: I think we should allow browsers to experiment in this area without damaging other browsers... that's where the declarative comment came from... I haven't gone through the update yet. Want to find them a way forward.

Dan: new concept they have introduced... active tab..

Jeffrey: MS have done more to explore Install...

we agree to continue to review and come back to it next week

Discussed Apr 14, 2025 (See Github)

Hadley: @torgo, @marcoscaceres not present Matthew: There are several comments on the private thread Hadley: We will leave this until the assignees can attend

Discussed Apr 21, 2025 (See Github)

Marcos: the whole democratization thing ... bothers me. The web is a quite democratic platform already. this provides an API for something that most browsers can do. This doesn't change anything just adds a JavaScript API for existing functionality. Need to see what's changed.

Martin: Long discussion.. most of us here were relatively OK with a web app calling an API to install itself. Browser could choose to ignore, or it could raise UI for installaiton. The problem we had was online catalogs and installing someone else's webapp.

Marcos: Yes and I already provided a bunch of feedback.. Numerous ways of doing a this thing... Goal is what?

Dan: a key point is the background document...

Marcos: it's complicated. The whole thing of having URLs... overriding ID seems like a foot gun. Developers do want to have their own install button... because some browsers don't have a good UI to install... What's interesting here from a TAG PoV - we've been discussing this API for well over a decade. We've examined the challenges. Browser developers have not made sufficient strides to address the usability problems of installation. So yes this is a warranted API. User needs are not adaquately addressed by the current browser UIs. Having said that, the rest of the stuff around install URLs, manifest paramaters, seems like overreach.

Dan: I think it's totally reasonable to go back to our previous guidance and say "We're still concerned about the cross-origin cases. Please move ahead with same origin install - we like it - then once we see how this plays in the ecosystem then let's try to solve the X-origin cases at that point."

Marcos: yes ... it's that and the argument I made to Diego ... does my bank's web site need to have this capability? Why does any web site in the world need to be an app store? They might not be playing favourites, but they add this creepy ability to every website.

Lola: I feel indifferent on this. I don't know enough, but Marcos' point about providing this ability to every website, while I agree that this might not be the best thing, think about user expectations and how they use the web. Because of the shift to app-based browsing, many users do expect that sites have some installable app.

Marcos: good point and it's why we designed web manifests; the idea is that it is a progressive enhancement, so that any website can be installed, [but those with manifests are better when installed]. The user needs to be in control, it needs to be their choice. This is why Safari resisted the API. The manifest then provides the nicer experience. This is why the store thing is problematic is because it starts to shift that control away from users. You get install buttons everywhere. Also the cross-origin thing doesn't make much sense. People could go to the site and install it from there.

Torgo: We have this situation where sites popup prompts for installing the app, not the site. The site can't action the installation of a webapp instead. You get the native app instead. Lots of sites nag constantly about that native app. An option to install the web site might reduce the desire to do that.

Marcos: Been doing this so long, that conflates different problems. NYT/WaPo have the same issue. it's not related to developers doing that, it's a browser issue. if the meta tag that prompts the user is dismissed, that prompt doesn't come back. In safari, the site doesn't learn that the user chose not to engage.

Torgo: Very close to app vs. web, but this could do good. Do we have consensus that we have an OK for same origin, please hold cross-origin.

Christian: install method ... will launch in chrome ... 3 flavours...

Martin: shipping or an experiment?

Christan: it's an origin trial so an experiment...

Martin: the logical extension is .. if I can install it through a web app store then I can uninstall it through a web appp store... there are certain sites on the web that have signifigant power such as search engines, social networks...

Marcos: that's why some browsers are insistent that install is a user decision...

Xiaocheng: we need to do things in a more webby approach... A decentralzed store for web apps..

Marcos: that doesn't change the core principle...

Hi Diego,

We'd be "satisfied" here if this were limited to the same origin case for reasons we previously indicated. But we are leaving this as "unsatisfied" on the basis that it includes the cross origin capability. We refer you to our previous comments on that for the details.

ACTION: Dan to wordsmith and propose a closing comment

Discussed Apr 28, 2025 (See Github)

Martin: Without the privacy-invasive APIs, the cross-origin part is a bit incomplete. We should acknowledge that they tried.

Marcos: Wish we could get them back to just showing the install dialog, and that's it. That's the 98% use case.

Martin: Let the website dedicate the amount of screen it thinks is appropriate.

Martin: not sure what else we can suggest in terms of text.

Jeffrey: we should encourage them to do the same site

Martin: you mean same origin ?

Jeffrey: no, that's not division they are using. There are background documents, etc.

Jeffrey: navigator.install(install_url) can install background documents; navigator.install() can't.

Martin: the central concern is the spooky action at a distance thing.

Jeffrey: So navigator.install(same_site_url) is fine for now.

Marcos: As long as it doesn't involve any additional magic, like ID overrides. This just opens the UI. Don't want it being an update mechanism or bringing in any extra scope.

Action on Marcos to suggest text; ask Torgo to follow up.

Discussed May 12, 2025 (See Github)

(Martin) Torgo needs to revise the proposed text based on the ensuing discussion.

Torgo: I do.

Christian: I'd like to discuss the API shape, when you've done that.

Dan: then let's keep it agenda+ and come back it next week.

Discussed May 26, 2025 (See Github)

DanA: Had hoped to have a discussion with Marcos about it before posting the draft comment. Suggest waiting for that.

Discussed Jun 2, 2025 (See Github)

Marcos gives an update: Make WWDC go away and we can resume normal operation.

Dan: Hoping to have Marcos post the comment. It's not that I disagree with the criticism, but I see the upsides of the proposal and probably would prefer not to post myself. Happy with the consensus of the group though.

Marcos: OK. What we wrote was good. I'll check and post or come back.

[Returning to this, later in the meeting]

marcos: I added a little bit of text around the ID override mechanism is necessary, but this is something that the working group might consider in more detail. I considered feedback from Christian, who suggested "decline", rather than "unsatisfied". ... simple, based on real-world experience, and implementer interest. Only Microsoft are interested in the cross-origin stuff.

Beyond that, I'm satisfied with what's there.

Dan: I'm happy with the comment.

Martin: I'm happy with it too. I'd be unhappy with a decline -- we ARE making a decision here.

Marcos: Ok. Let's change it back to "unsatisfied".

Dan: I think it has to be one of those two. "Decline" is not a negative comment from us. Why does Christian think we should decline?

Marcos: I guess because we are satisfied with part of it, but not the other part -- was his rationale. We can make that clear in the text.

Martin: I think if the objections to the cross origin thing wasn't so strong, we chould use "satisfied with concerns." But the parts we don't like are most of it.

Marcos: I'll add that.

Martin: Yes, we liked the same origin install thing. If it was just that, we'd be "satisfied".

Marcos: it's the ID stuff

Martin: They don't need the ID stuff for the same origin one. only for the cross origin one

Marcos: no, they also want it for the same origin one.

Martin: Oh, OK

Marcos: done

Resolved, shipped, sealed, delivered, with a bow on it