←back to thread

Unpacking Google’s Web Environment Integrity specification

(vivaldi.com)
756 points dagurp | 1 comments | 26 Jul 23 11:30 UTC | HN request time: 0.213s | source
Show context
wbobeirne ◴[26 Jul 23 17:56 UTC] No.36881997[source]

    > Can we just refuse to implement it?
    > Unfortunately, it’s not that simple this time. Any browser choosing not to implement this would not be trusted and any website choosing to use this API could therefore reject users from those browsers. Google also has ways to drive adoptions by websites themselves.
This is true of any contentious browser feature. Choosing not to implement it means your users will sometimes be presented with a worse UX if a website's developers decide to require that feature.

But as a software creator, it's up to you to determine what is best for your customers. If your only hope of not going along with this is having the EU come in and slapping Google's wrist, I'm concerned that you aren't willing to take a hard stance on your own.

replies(16): >>36882111 #>>36882159 #>>36882251 #>>36882319 #>>36882333 #>>36882392 #>>36883076 #>>36884242 #>>36886398 #>>36886528 #>>36886698 #>>36887109 #>>36888102 #>>36888252 #>>36889157 #>>36890182 #
1. evah ◴[27 Jul 23 02:43 UTC] No.36888252[source]
The author should have asked "Can we just implement it then?" because in some cases you literally can't implement the proposed API. That's the core issue with it. Unlike other contentious browser features, even if you wanted to implement attestation, it may be impossible to do so. More precisely, attestation may be impossible to implement on some platforms to the de facto standard that would develop over time. The de facto standard I refer to is the list of attestors web servers will accept. If your platform can't be attested by an approved attestor, you're screwed. That's why it's not that simple this time. The proposed attestation API is literally unimplementable in general. You can't implement it and you can't not implement it.