←back to thread

Unpacking Google’s Web Environment Integrity specification

(vivaldi.com)
756 points dagurp | 5 comments | 26 Jul 23 11:30 UTC | HN request time: 0s | source
Show context
jfoutz ◴[26 Jul 23 17:59 UTC] No.36882062[source]
This kinda seems like a fantastic way to implement micro payments. The site owner sets up a attestor that knows they’ve paid.

I hate Wei in general, but it really could open up control over bots and paid access.

replies(2): >>36882168 #>>36882351 #
wbobeirne ◴[26 Jul 23 18:05 UTC] No.36882168[source]
There is no reason that can't be done with existing web technology, WEI does not advance that use case in any meaningful way.
replies(1): >>36882384 #
1. jfoutz ◴[26 Jul 23 18:18 UTC] No.36882384[source]
It provides a uniform service for ensuring a client has desired properties.

That’s kinda tricky to do well. Traffic for monitoring, you can do with a jwt, but like, enabling chunked transfer in python request lib is a problem you discover. An array of attestors could guarantee feature sets.

replies(4): >>36882530 #>>36883260 #>>36883315 #>>36884634 #
2. wbobeirne ◴[26 Jul 23 18:26 UTC] No.36882530[source]
I'm not understanding how giving the client a token that you put in a request header that proves you've paid, or is just an account lookup token to then ask a payment processor whether or not their account is in good standing, is limited in a way that WEI makes better. I don't see any use cases that wouldn't work that way that would now work with WEI.
3. nobody9999 ◴[26 Jul 23 19:10 UTC] No.36883260[source]
>It provides a uniform service for ensuring a client has desired properties.

I see that as a downside, not a benefit -- who decides whether or not a client (i.e., my software running on my hardware) has those "desired properties" and what might those properties be?

4. danShumway ◴[26 Jul 23 19:13 UTC] No.36883315[source]
> for ensuring a client has desired properties.

There's nothing about payments that requires testing client properties though. What you want is the ability to test if there's a corresponding payment, that has nothing really to do with the client's device. It just seems like irrelevant information, what are these "desired properties"?

You want a corresponding token with the request that matches a payment. And WEI seems like a strictly inferior way to get that instead of just... asking a payment provider for the token. What does my hardware/OS/browser have to do with a payment token?

5. doxick ◴[26 Jul 23 20:38 UTC] No.36884634[source]
This will be great when both my partner and i use the same browser but different ... Different what exactly? Ah.. accounts!

"This allows them to detect the actual device"... As if that isn't a solved space already?