←back to thread

Unpacking Google’s Web Environment Integrity specification

(vivaldi.com)
756 points dagurp | 6 comments | 26 Jul 23 11:30 UTC | HN request time: 0.805s | source | bottom
Show context
wbobeirne ◴[26 Jul 23 17:56 UTC] No.36881997[source]

    > Can we just refuse to implement it?
    > Unfortunately, it’s not that simple this time. Any browser choosing not to implement this would not be trusted and any website choosing to use this API could therefore reject users from those browsers. Google also has ways to drive adoptions by websites themselves.
This is true of any contentious browser feature. Choosing not to implement it means your users will sometimes be presented with a worse UX if a website's developers decide to require that feature.

But as a software creator, it's up to you to determine what is best for your customers. If your only hope of not going along with this is having the EU come in and slapping Google's wrist, I'm concerned that you aren't willing to take a hard stance on your own.

replies(16): >>36882111 #>>36882159 #>>36882251 #>>36882319 #>>36882333 #>>36882392 #>>36883076 #>>36884242 #>>36886398 #>>36886528 #>>36886698 #>>36887109 #>>36888102 #>>36888252 #>>36889157 #>>36890182 #
1. kyrra ◴[26 Jul 23 18:59 UTC] No.36883076[source]
Google has been beat-down before trying to do these kinds of things. 2 ones I can think of:

1) FLoC: https://www.theverge.com/2022/1/25/22900567/google-floc-aban...

2) Dart: Google wanted this to replace javascript, but Mozilla and MS both said no way, as they had no part in it. So that project ended up dying.

Google tries lots of things. Mozilla, MS, and Apple are still strong enough (especially outside the US) to push back on things that they think are a bad idea.

replies(2): >>36885515 #>>36892373 #
2. freedomben ◴[26 Jul 23 21:43 UTC] No.36885515[source]
Dart is still around. The Flutter framework is growing in popularity.

Apple already built and shipped this same feature last year, so they're not opposed. MS? Probably gonna love this. Mozilla hasn't said anything on it (yet at least). I'm not expecting any of those players to save us.

replies(2): >>36886337 #>>36888302 #
3. lxgr ◴[26 Jul 23 23:00 UTC] No.36886337[source]
> The Flutter framework is growing in popularity.

Is that the one rendering [1] text and UI widgets into an HTML canvas element from JavaScript/Dart (completely coincidentally breaking ad blocking in the process)? What a beautiful piece of software.

> Apple already built and shipped this same feature last year,

Are you referring to Private Access Tokens (PAT)? These seem quite a bit more limited in what they do. WEI seems to specifically set out to roll back some of the blinding/anonymization aspects of PAT under the banner of debuggability/providing "feedback" to attesters.

[1] https://docs.flutter.dev/platform-integration/web/renderers

replies(1): >>36895376 #
4. kyrra ◴[27 Jul 23 02:51 UTC] No.36888302[source]
You need to look back at the history of Dart. It was created by the Chrome team, with many of the people who worked on GWT taking part on it. It was created to solve Google's issues with JavaScript. This endeavor failed as no other browser makers picked it up.

We then got AngularJs, but with Dart (AngularDart). This was again trying to improve the coding experience of making web apps.

When typescript came and the Angular team picked that up, TS seems to be the primary path forward (though angulardart is still getting updated).

At this point dart wasn't seeing a lot of attention. The Flutter team was able to pick up Dart as the primary owner and has been driving it since then.

5. account42 ◴[27 Jul 23 12:23 UTC] No.36892373[source]
> Mozilla, MS, and Apple are still strong enough

Apple already implements equivalent functionality.

MS has been pushing "trusted computing" left and right.

Mozilla alone is irrevelant.

6. freedomben ◴[27 Jul 23 15:48 UTC] No.36895376{3}[source]
> Is that the one rendering [1] text and UI widgets into an HTML canvas element from JavaScript/Dart (completely coincidentally breaking ad blocking in the process)? What a beautiful piece of software.

Yep. I'm not saying Dart is a good thing - I've never used it and don't currently have plans too. All I'm saying is that it is NOT dead as GP asserted.

> Are you referring to Private Access Tokens (PAT)? These seem quite a bit more limited in what they do. WEI seems to specifically set out to roll back some of the blinding/anonymization aspects of PAT under the banner of debuggability/providing "feedback" to attesters.

Yes. PATs don't provide as much information about the attestation to the website, but they do provide the critical part which is "is this person using a blessed client." That's plenty for a website to block people on.