←back to thread

Unpacking Google’s Web Environment Integrity specification

(vivaldi.com)
756 points dagurp | 3 comments | 26 Jul 23 11:30 UTC | HN request time: 0s | source
Show context
bloopernova ◴[26 Jul 23 18:25 UTC] No.36882508[source]
Would this end up breaking curl, or any other tool that accesses https?
replies(3): >>36882597 #>>36883468 #>>36885184 #
fooyc ◴[26 Jul 23 18:30 UTC] No.36882597[source]
Yes it will
replies(1): >>36883267 #
pdanpdan ◴[26 Jul 23 19:11 UTC] No.36883267[source]
How?
replies(1): >>36883425 #
1. toyg ◴[26 Jul 23 19:21 UTC] No.36883425[source]
The whole point of WEI is that the site can choose to block any combination of browser and OS they see fit, in a reliable way (currently, browsers can freely lie). CURL and friends will almost immediately be branded as bots and banned - that's the stated objective.
replies(2): >>36883609 #>>36883638 #
2. pdanpdan ◴[26 Jul 23 19:34 UTC] No.36883609[source]
How?

The page must first load, then it requests an attestation using js and sends it back to the server for further use (like a recaptcha token).

So for something like curl it could be no change.

https://github.com/RupertBenWiser/Web-Environment-Integrity/...

3. snvzz ◴[26 Jul 23 19:37 UTC] No.36883638[source]
It is more severe than that. The design favors a whitelist approach: Only browsers that can get the attestation from a "trusted source" are allowed. Browsers that cannot, don't.