After Marco had added initial support for WAC apps to Plasma, at open-slx, we spent a few cycles on taking this to a next level. WAC apps are apps written in HTML5 which are shipped as packaged websites with everything needed included in the package. On top of the normal webbrowser APIs, WAC apps can access a set of API calls that allow access to various aspects of the underlying system, device and network information, contacts, hardware such as camera, accelerometer, location sensors, etc.).
Most of the hard work is already done by the excellent webkit. The parts needed in Plasma and KDE are support for loading the package format, and allowing access to certain system APIs. Marco has written an AppletScript Plugin, which basically wraps the WAC format into a Plasmoid so it can be loaded into any Plasma Shell (Plasma Desktop, Netbook, Active, MediaCenter, etc).
Implementing the WAC-specified APIs turns out to be quite a bit of work. I have started on the DeviceStatus API, and on my laptop, HTML5/WAC apps are now able to access system information such as software versions and battery status. The complete WAC API is quite big, so right now we only support a small subset. The basics are done, and with growing support in this API, we’re able to run more and more apps on Plasma devices.
Everything is running inside a sandbox (in our case a webkit container inside Plasma), so it is quite easy to restrict everything beyond the browser’s DOM API. When working on the permission model, I reflectd about how the user actually handles these permissions. Many people seem to complain that even if the app announces which APIs it wants to access, the user still does not really have a choice beyond all-or-nothing, so most people end up blindly OK’ing whatever the app wants. The code for WAC in Plasma is set up in a way that we can allow access only to certain bits of the API, disallow access or — and that’s the catch — fake access. Fake access means that we tell the app that we support certain APIs, but we will only deliver empty or bogus data, so the app still works, but our address book is not in jeopardy of being sent to some blackhat in a far away country.