Unpacking Google’s Web Environment Integrity specification

(vivaldi.com)

756 points dagurp | 1 comments | 26 Jul 23 11:30 UTC | HN request time: 0s | source

Show context

jfoutz ◴[26 Jul 23 17:59 UTC] No.36882062[source]▶

This kinda seems like a fantastic way to implement micro payments. The site owner sets up a attestor that knows they’ve paid.

I hate Wei in general, but it really could open up control over bots and paid access.

replies(2): >>36882168 #>>36882351 #

wbobeirne ◴[26 Jul 23 18:05 UTC] No.36882168[source]▶

>>36882062 #

There is no reason that can't be done with existing web technology, WEI does not advance that use case in any meaningful way.

replies(1): >>36882384 #

jfoutz ◴[26 Jul 23 18:18 UTC] No.36882384[source]▶

>>36882168 #

It provides a uniform service for ensuring a client has desired properties.

That’s kinda tricky to do well. Traffic for monitoring, you can do with a jwt, but like, enabling chunked transfer in python request lib is a problem you discover. An array of attestors could guarantee feature sets.

replies(4): >>36882530 #>>36883260 #>>36883315 #>>36884634 #

1. danShumway ◴[26 Jul 23 19:13 UTC] No.36883315[source]▶

>>36882384 #

> for ensuring a client has desired properties.

There's nothing about payments that requires testing client properties though. What you want is the ability to test if there's a corresponding payment, that has nothing really to do with the client's device. It just seems like irrelevant information, what are these "desired properties"?

You want a corresponding token with the request that matches a payment. And WEI seems like a strictly inferior way to get that instead of just... asking a payment provider for the token. What does my hardware/OS/browser have to do with a payment token?

↑