Platform Compliance & Security
How CWA and the LoadSites container comply with Apple App Store and Google Play policies for rendering web content in native applications.
Web Content Rendering
The LoadSites container renders all CWA web content using the platform's native web rendering engine:
| Platform | Rendering Engine | Component |
|---|---|---|
| iOS | WebKit | WKWebView (Apple's required WebKit framework) |
| Android | Chromium / System WebView | Android WebView (system-provided component) |
CWA apps are standard HTML, CSS, and JavaScript web content — the same technologies rendered by Safari and Chrome. The container does not include a custom rendering engine, interpreter, or code execution environment. All content is rendered by the operating system's built-in web view components.
Apps that display web content must use the WebKit framework and WebKit JavaScript.
LoadSites uses WKWebView exclusively on iOS, fully satisfying this requirement.
Nature of Loaded Content
CWA apps are composed exclusively of static web assets:
- HTML — Standard markup documents
- CSS — Stylesheets for layout and presentation
- JavaScript — Client-side scripts running in the WebView sandbox
- Static assets — Images, fonts, JSON data files
CWA content does not include:
- Native executable code (no .dex, .dylib, .so, .framework files)
- Bytecode or compiled binaries of any kind
- Code that modifies the container app's native functionality
- Plugins, extensions, or modules that run outside the WebView sandbox
All JavaScript executes within the WebView's standard JavaScript engine (JavaScriptCore on iOS, V8 on Android) — the same engines used by Safari and Chrome to run website JavaScript. No additional runtime or interpreter is introduced.
Sandboxing & Isolation
WebView Sandbox
Each CWA app runs inside the operating system's WebView sandbox. This provides the same security boundaries as a web browser tab:
- JavaScript cannot access the device filesystem, process memory, or native APIs directly
- Web content is isolated from the container app's native code
- The same-origin policy is enforced by the WebView
- Content cannot escape the WebView sandbox or elevate privileges
Domain-Scoped Storage
All persistent data is scoped to the combination of domain + appId.
Apps from different domains cannot access each other's stored data. Multiple apps
from the same domain are further isolated by their unique app_id.
Permission Model
CWA apps declare their required permissions in the manifest. The container presents the full permission list to the user during installation. Access is only granted after explicit user consent:
- Users see exactly which device capabilities the app requests before installing
- Each permission maps to a specific native API (camera, location, etc.)
- The user must explicitly accept all permissions before installation proceeds
- Users can remove any app and revoke its access at any time
- Permission data is never shared between apps without user consent
Data and privacy permissions are never shared between loaded web content without explicit user consent for each instance.
Bridge Security Architecture
The CWA bridge (window.LoadSites) provides a controlled interface
between web content and native device capabilities. It is architected with the
following security constraints:
- Message-passing only — The bridge uses an asynchronous message-passing protocol. Web content sends JSON messages to the container and receives JSON responses. There is no direct memory access, pointer sharing, or function binding between web and native code.
- Permission-gated — Every bridge API call is checked against the app's declared and user-approved permissions. Calls to APIs not covered by the app's permissions are rejected.
- Scoped to the installed app — The bridge is only available to content served from the app's locally extracted bundle. It is not exposed to arbitrary URLs or external websites.
- Read-only device info — Device APIs provide read-only information (platform, model, OS version). The bridge cannot modify system settings, install software, or alter the device configuration.
- No code execution — The bridge does not provide any mechanism for web content to execute native code, load native libraries, or call system APIs directly. All native functionality is mediated through the container's predefined API surface.
No Native Code Download
CWA bundles contain only static web assets (HTML, CSS, JavaScript, images). The container:
- Does not download or execute native executable code from external sources
- Does not install native plugins, frameworks, or dynamic libraries at runtime
- Does not modify the container app's compiled binary or native functionality
- Does not introduce new native APIs or platform capabilities beyond those compiled into the container app at build time
The downloadable ZIP bundles are functionally equivalent to website assets that would be loaded by navigating to a URL in a web browser. The container pre-downloads them for offline availability and faster load times.
CWA web bundles do not introduce or change the features or functionality of the container app. They are static web content rendered in the system WebView, analogous to web pages loaded in any browser. The container app's native functionality is fixed at build time.
CWA does not download executable code (DEX files, native libraries) from external sources. JavaScript runs within the sandboxed WebView using the system-provided JavaScript engine, consistent with standard web content rendering.
Content Policies
Developer Responsibility
CWA app developers are responsible for ensuring their web content complies with
all applicable laws and platform policies. The manifest includes the
app_author field, identifying the content provider.
Content Moderation
The LoadSites container provides the following content safety mechanisms:
- Manifest validation — The container validates manifest structure and fields before allowing installation
- Permission transparency — Users see all requested permissions before installing any app
- User-initiated installation only — Apps are only installed when the user explicitly enters a domain and confirms installation; no automatic or background installs occur
- Easy removal — Users can remove any installed app with a long-press action, which deletes all associated data and files
- Content reporting — The container provides mechanisms for reporting objectionable content
- Content blocking — The container can block specific domains or apps from being installed
The container provides content filtering, reporting, and blocking mechanisms as required for apps that host third-party web content.
Prohibited Content
CWA apps distributed through LoadSites must not contain:
- Illegal content or content that facilitates illegal activity
- Malware, spyware, or code designed to harm users or devices
- Content that exploits or endangers minors
- Hate speech, harassment, or content promoting violence
- Deceptive content designed to phish, scam, or mislead users
- Content that violates intellectual property rights
- Content that collects user data without disclosure and consent
Data Privacy
- CWA apps store data locally on the device using the container's storage API
- Storage is scoped per domain and app ID — apps cannot access each other's data
- The container does not transmit stored data to external servers
- Network requests made by web content go through the standard WebView networking stack with normal OS-level privacy protections
- Device information (platform, model, OS version) is only accessible to apps
that declare and receive the
devicepermission - Location data requires the
geolocationpermission and triggers the OS-level location permission prompt - Camera and microphone access require respective permissions and trigger OS-level permission prompts
Update Mechanism
CWA app updates follow a controlled process:
- The container checks the manifest's
app_versionfield when the user opens the app - If a newer version is available, the new ZIP bundle is downloaded
- The new bundle replaces the previous one locally
- The update contains only static web assets (HTML, CSS, JS, images)
- Updates do not modify the container app's native code or behavior
- The container's bridge API surface is fixed at the container's build time and is not altered by app updates
CWA updates replace web content (equivalent to a website updating its pages), not native app code. The container app itself is only updated through the App Store / Play Store.
Bundle Limits
| Constraint | Limit | Purpose |
|---|---|---|
| Maximum ZIP size | 50 MB | Prevents abuse and excessive storage use |
| Allowed file types | HTML, CSS, JS, images, fonts, JSON, SVG, audio, video | Only standard web assets |
| Prohibited file types | Executables, binaries, native libraries, bytecode | No native code execution |
| Entry point | Must be an HTML file | Content is always rendered as web content |
Apple App Store Compliance Summary
| Guideline | Requirement | How CWA Complies |
|---|---|---|
| 2.5.2 | Apps should be self-contained; must not download code that changes app functionality | CWA bundles are static web assets (HTML/CSS/JS). They do not modify the container's native functionality. Equivalent to loading a web page. |
| 2.5.6 | Web content must use WebKit framework | Container uses WKWebView exclusively on iOS |
| 4.2 | Minimum functionality; not a web clip | Container provides native navigation, push notifications, offline storage, haptic feedback, biometrics, camera integration, and a native home screen — features beyond what a browser bookmark provides |
| 4.7 | Mini apps must comply with all guidelines; content filtering, reporting, blocking required | Container validates manifests, enforces permissions, provides content reporting and blocking, and requires user consent for each installation |
| 4.7.2 | Must not extend native platform APIs to loaded software without permission | Bridge API is a fixed, predefined set of capabilities compiled into the container. It does not expose raw platform APIs. All access is mediated and permission-gated. |
| 4.7.3 | Must not share data or permissions between apps without user consent | Storage is isolated per domain+appId. Permissions are scoped per app. No data sharing between apps. |
| 1.2 / 5.1 | User safety, privacy, content moderation | Content reporting, blocking, user-initiated install only, full permission transparency, OS-level privacy prompts for sensitive APIs |
Google Play Compliance Summary
| Policy | Requirement | How CWA Complies |
|---|---|---|
| Device & Network Abuse | No downloading executable code from external sources | CWA bundles contain only HTML/CSS/JS — no DEX, native libraries, or executable binaries. JavaScript runs in the sandboxed system WebView. |
| Deceptive Behavior | No dynamic code that circumvents review | Web content runs in the standard WebView sandbox. The container's native bridge API surface is fixed at build time and reviewed with the app. |
| JavaScript Interface | No JS bridge exposed to untrusted content | The bridge is only available to content served from the locally installed app bundle, not to arbitrary external URLs. |
| User-Generated Content | Content moderation, reporting, blocking, terms of use | Container provides manifest validation, permission transparency, content reporting, domain blocking, and easy app removal. |