Comment by wruza 3 days ago
an operating system's "native web view" (WRY)
Isn’t that just a randomly abandoned version of something of uncertain origin, on average? Why would one want use it? I guess to save distribution space.
I don’t have a “top”-deps itch, but using an arbitrary webview sounds compatibility hell even to me.
Random output from my system:
App Name: Microsoft Azure Storage Explorer.app Electron Version: 25.8.4 -n File Name: /Applications/Microsoft Azure Storage Explorer.app/Contents/Frameworks/Electron Framework.framework/Electron Framework -e App Name: MongoDB Compass.app Electron Version: 30.4.0 -n File Name: /Applications/MongoDB Compass.app/Contents/Frameworks/Electron Framework.framework/Electron Framework -e App Name: Obsidian.app Electron Version: 25.8.1 -n File Name: /Applications/Obsidian.app/Contents/Frameworks/Electron Framework.framework/Electron Framework
And to answer your question: yes this is very much a security issue. There are many unpatched versions that are vulnerable to webp exploits, including chat apps (with the serious implications of that being obvious)
Web devs shouldn't be allowed anywhere near native APIs.
The target you're thinking of with outdated OS webviews is probably Android. Tauri doesn't even support Android; it's a desktop framework.
On both Windows and macOS, the "OS webview" is just a framework binding to the OS-shipped browser (i.e. Edge, Safari); and both Edge and Safari get updated with pretty much every release of the OS (which, in turn, are kept up-to-date in a pretty pushy way these days by Microsoft and Apple.)
Also, in both of these cases, by relying on these OS webviews, you're "sharing" the renderer and other global context with the actual browser (if the user happens to use it), and with all other OS webviews on the machine — rather than each new app needing its own renderer and global context, wasting 1GB+ of memory per app and creating thousands of redundant files on disk for the app's own cache et al.
It's really a pure win vs. Electron for these cases.
On Linux, what you get depends on the distribution format. If distributed as a package, you get a dynamic binding to WebKitGtk — which requires the package manager to resolve and install this (and that might not work, if the distro doesn't ship that package.) If distributed as an .AppImage, you get a vendored-in copy of WebKitGtk — which is basically the same as what you get from Electron.
Tauri is indeed heading to mobile.
On modern mainstream Android devices, the Webview is based on chromium and regularly updated through the play store
What do you qualify as a "modern mainstream Android device"?
I think the median Android device out there in the world today — just by sheer volume of them produced — is probably a "Welcome" phone with a MediaTek 6580 chipset and a faked-capacity SD card; i.e. hardware that couldn't possibly run any Android version made in the last six years.
(Such phones could in theory run Android Go... but they often don't, because these devices are often running non-Google-Play-Store AOSP derivatives — and there's no un-Googled version of Android Go.)
> uncertain origin…?
A bit less uncertainty via: https://v2.tauri.app/reference/webview-versions/
Not really. MacOS’s webview is kept relatively up to date with whatever version of Safari is current when the OS is released. Webview2 on Windows receives regular updates via Windows Update.
You encounter the exact same compatibility issues you would on the web, with a somewhat slower uptake to new versions. Not ideal but entirely manageable.
> why would one want to use it
Primarily because (last I checked, anyway) any app using Electron has to bundle its own version of Chromium, which is massive. It also means each Electron-powered app is totally ignorant of the other, resulting in a lot of duplication and unnecessary memory usage. When you use the system webview you have minimal bulk and resources can be shared, as if they’re multiple tabs in one browser rather than each one being its own browser.
The alternative to Tauri isn't the web - it's Electron which has a specific Chrome version.
One big reason people go for delivering their web apps through Electron is so they can guarantee that they are on a specific modern version of Chrome. This is something you lose with Tauri. You gain some tighter memory consumption, but you do trade one thing in for another.
> I guess to save distribution space.
Personally I'd agree with this. I'd also include saving the RAM of loading an independent version of Chrome for every electron app would be nice. Last, I never understood what version of chrome gets bundled with these electron apps. Is it more or less secure than WRY?
At this point most operating systems are ahead of Electron on average, not behind it. Electron takes longer to bundle a new Chrome version than it should. Then it takes a while for applications to actually upgrade Electron versions because that includes the compatibility headaches of keeping up with all of Chrome changes, Node changes, and Electron API changes at the same time. Some apps are years behind on Electron today simply because they don't want the headache of rebuilding Node native dependencies or fixing Electron API breaks and think being on an old build of Chrome and the subsequent risk of unpatched security problems is an okay risk to take.
There is still a long tail of versions you might encounter when using a (security supported OS), but for most Linux distros, macOS, and Windows the worst case in the long tail is now just 6 months behind. (You lose security support if you don't keep up with semiannual OS releases.) If you have reason such as a corporate overlord to also support LTS OSes the worst case is closer to 2 years depending on Unix distro. (Windows WebView2 remembers IE and still requires regular update cadence even on LTS Windows, so WebView2 on today's LTS Windows should still be closer to the 6 month mark than the 2 year mark if following Microsoft's LTS policies, staying within support, and not paying for more complicated LTS contracts.)
It should be very easy with caniuse/MDN statistics to write web apps for any browser of the last six months. If you plan to support macOS you still need to support two (related like siblings) renderers as macOS wants you to use WebKit/Safari and everything else is Chromium in one way or another today, but testing on two browsers shouldn't be a showstopper for many (most?) apps. There are definitely Chrome-only APIs that might appeal to you in building an app, but at that point many of them you can polyfill with a native dependency (a Rust dependency in the Tauri world).