[Isolated Web Apps](https://developer.chrome.com/docs/iwa/introduction) (IWAs) are an extension of existing work on PWA installation and Web Packaging that provide stronger protections against server compromise and other tampering that is necessary for developers of security-sensitive applications. Rather than being hosted on live web servers and fetched over HTTPS, these applications are packaged into Web Bundles, signed by their developer, and distributed to end-users through one or more of the potential methods described in the [explainer](https://github.com/WICG/isolated-web-apps/blob/main/README.md). In Chrome 128, IWAs became installable through an admin policy only on enterprise-managed ChromeOS devices.
Content Security Policy (CSP) provides strong protection against cross-site scripting (XSS) vulnerabilities. Transport Layer Security (TLS) and Subresource Integrity (SRI) provide protection against resources being tampered with in transit or when hosted on third-party servers. However, the threat model for some particularly security sensitive applications includes the main application server itself being compromised and serving malicious content. This goes beyond the protections that current policies can provide and requires thinking about alternative ways that these applications could be distributed and validated.
Samples: https://github.com/GoogleChromeLabs/telnet-client https://github.com/WICG/controlled-frame/tree/main/test_app
Explainers: https://github.com/WICG/isolated-web-apps/blob/main/README.md