(httptoolkit.com)

596 points pimterry | 1 comments | 25 Jul 23 14:10 UTC | HN request time: 0.351s | source

Show context

arianvanp ◴[25 Jul 23 14:26 UTC] No.36862728[source]▶

I think this is less invasive though. The Google proposal runs before content loaded into the DOM. Which means it can be used to do things like programmatically detect and block code injection like ad blockers.

PATs are purely a server side thing. They don't give this kind of control. And don't perform a signature over the content

replies(2): >>36862880 #>>36862909 #

1. jsnell ◴[25 Jul 23 14:35 UTC] No.36862880[source]▶

>>36862728 #

PATs give exactly the same control. You could trivially require a PAT on the first page load, before the browser gets to receive any of the content. And header-based protocol can always be converted to a JS-driven protocol just by having the requests be issued from JS.

Content-binding is a necessity for the actual intended use case of these protocols (abuse prevention), but useless for the thing people are afraid of (DRM for the web).

↑

Apple already shipped attestation on the web, and we barely noticed