←back to thread

Unpacking Google’s Web Environment Integrity specification

(vivaldi.com)
756 points dagurp | 1 comments | 26 Jul 23 11:30 UTC | HN request time: 0.001s | source
Show context
wbobeirne ◴[26 Jul 23 17:56 UTC] No.36881997[source]

    > Can we just refuse to implement it?
    > Unfortunately, it’s not that simple this time. Any browser choosing not to implement this would not be trusted and any website choosing to use this API could therefore reject users from those browsers. Google also has ways to drive adoptions by websites themselves.
This is true of any contentious browser feature. Choosing not to implement it means your users will sometimes be presented with a worse UX if a website's developers decide to require that feature.

But as a software creator, it's up to you to determine what is best for your customers. If your only hope of not going along with this is having the EU come in and slapping Google's wrist, I'm concerned that you aren't willing to take a hard stance on your own.

replies(16): >>36882111 #>>36882159 #>>36882251 #>>36882319 #>>36882333 #>>36882392 #>>36883076 #>>36884242 #>>36886398 #>>36886528 #>>36886698 #>>36887109 #>>36888102 #>>36888252 #>>36889157 #>>36890182 #
rezonant ◴[26 Jul 23 18:14 UTC] No.36882319[source]
> Choosing not to implement it means your users will sometimes be presented with a worse UX if a website's developers decide to require that feature.

I think this makes a category error. Most browser features/APIs are indeed treated as progressive enhancements by web developers, at least until an overwhelming number of the users have access to that feature. And even then, even if the developer makes assumptions that the feature/API is present, often the result is a degraded experience rather than an all-out broken experience.

The same is not true of web attestation. If a website requires it and a browser refuses to implement it, in at least some cases (probably a concerningly high number of cases though) the result will be that the user is entirely locked out of using that website.

It's also worth noting that _even if_ Vivaldi implements WEI, there's a solid chance that the attestation authority (Google, Microsoft, Apple) or possibly the website itself[1] will not accept it as a valid environment at all! After all, what makes Vivaldi not a "malicious or automated environment" in their eyes? What if Vivaldi allows full ad blocking extensions? User automation/scripting? Or any example of too much freedom to the user. Will the attestation authority decide that it is not worthy of being an acceptable environment?

[1] if this ends up spiralling out of control by allowing the full attestation chain to be inspected by the website

replies(2): >>36882374 #>>36882682 #
iforgotpassword ◴[26 Jul 23 18:17 UTC] No.36882374[source]
It still feels like they rather bend over and take it than risking losing market share.
replies(1): >>36882448 #
1. mrguyorama ◴[26 Jul 23 18:22 UTC] No.36882448{3}[source]
Vivaldi's entire reason for being is "I literally cannot bring myself to just use firefox instead so I'll bend over backwards to try and remove objectionable things from chromium and still end up supporting chrome as the web default"