Web Environment Integrity: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 12:14, 3 September 2023 edit Dtgriscom (talk \| contribs) Extended confirmed users 2,506 edits Wordsmithing ← Previous edit		Latest revision as of 12:14, 22 August 2025 edit undo 2a0d:3341:c765:6e08:5cf0:37f1:9b85:297e (talk) Update external link Tag: Visual edit
(37 intermediate revisions by 18 users not shown)
Line 1: {{Short description\|~~Proposed~~Abandoned API ~~standard~~proposal by Google}} {{use mdy dates\|date=August 2023}} '''Web Environment Integrity''' ('''WEI''') is aan ~~controversial~~abandoned [[API]] proposal ~~currently~~previously ~~being~~under ~~developed~~development for [[Google Chrome]].<ref>{{Cite web \|last=Amadeo \|first=Ron \|date=2023-08-03 \|title=Google's nightmare "Web Integrity API" wants a DRM gatekeeper for the web \|url=https://arstechnica.com/gadgets/2023/07/googles-web-integrity-api-sounds-like-drm-for-the-web/ \|access-date=2023-08-03 \|website=[[Ars Technica]] \|language=en-us}}</ref> ~~{{As of\|2023\|08\|post=,}} a~~A Web Environment Integrity prototype ~~exists~~existed in [[Chromium, (web browser)\|Chromium]]<ref name=":1">{{Cite web \|title=[wei] Ensure Origin Trial enables full feature · chromium/chromium@6f47a22 \|url=https://github.com/chromium/chromium/commit/6f47a22906b2899412e79a2727355efa9cc8f5bd \|access-date=2023-08-19 \|website=GitHub \|language=en}}</ref> ~~but has not shipped in any browser.~~<ref>{{Cite web \|date=2023-05-09 \|title=Feature: Web environment integrity API \|url=https://chromestatus.com/feature/5796524191121408 ~~\|url-status=live~~ \|access-date=2023-08-23 \|website=Chrome Platform Status}}</ref> from May<ref>{{~~psi~~Cite web \|last=Kalla \|first=Ryan \|title=Add WebEnvironmentIntegrity feature \|url=https://chromium-review.googlesource.com/c/chromium/src/+/4480950 \|access-date=~~August~~2025-07-30 \|website=Chromium Source}}</ref> to November 2023 after extensive criticism by many tech groups.<ref name="abandoned">{{cite web \|last1=Claburn \|first1=Thomas \|date=2023-11-02 \|title=Google abandons Web Environment Integrity proposal \|url=https://www.theregister.com/2023/11/02/google_abandons_web_environment_integrity/ \|access-date=2023-11-10 \|website=[[The Register]] \|language=en}}</ref> Its purpose was to verify that interactions with websites were human and authentic as defined by third-party attesters. == Proposal == [[~~Image~~File:Web Environment Integrity attestation - How it works.svg\|thumb\|~~480px~~upright=2.5\|[[Sequence diagram]] showing WEI attestation]] The draft ~~proposes~~proposed an API for websites to get a [[Digital signature\|digitally signed]] token that contains the certifier's name and whether or not they deem the web client to be authentic. The stated goal iswas for ~~certain~~ sites to ~~only~~be ~~allow~~able to restrict access to human users instead of automated programs and "allow web servers to evaluate the authenticity of the device and honest representation of the software stack and the traffic from the device". Access to this API ~~will~~would not be allowed in non-secure ([[HTTP]]) contexts.<ref>{{Cite web \|title=Web-Environment-Integrity/explainer.md at main · RupertBenWiser/Web-Environment-Integrity \|url=https://github.com/RupertBenWiser/Web-Environment-Integrity/blob/main/explainer.md \|access-date=2023-07-26 \|website=GitHub \|language=en}}</ref> ~~{{clear}}~~ == History == The proposal first showed up as a commit to [[Chromium]] in April before being announced by its developers, Google engineers, in May. It received a few concerned comments from those who followed the browser's rendering engine's development. After discussion at W3C in late April, its working draft specification was published as part of the process to develop standards for the web on July 21, 2023. As a result, users flooded the proposal's [[GitHub]] repository with critical comments and [[Flaming (Internet)\|flaming]] of the proposal's authors. As a result, the Google engineers limited comment to those who have contributed to the repository and added a [[code of conduct]].<ref name="register" /> On the same day, Chromium's preliminary code to implement the standard was enabled.<ref name=":1" /> On April 25, 2023, Google engineers, Ben Wiser, Borbala Benko, Philipp Pfeiffenberger and Sergey Kataev created a [[GitHub]] repository explaining the details of the proposal.<ref>{{Citation \|last=Wiser \|first=Ben \|title=Web Environment Integrity API \|date=2023-08-18 \|url=https://github.com/RupertBenWiser/Web-Environment-Integrity \|access-date=2023-08-19}}</ref> The proposal was [[Flaming (Internet)\|flamed]] by GitHub users, with numerous comments, issues and pull requests voicing strong opposition to the existence of the standard and arguing for its deletion. On November 2, 2023, Google abandoned the proposal, removed the prototype implementation from Chromium, and proposed a replacement API named "Android WebView Media Integrity API" limited to WebViews on Android. Google tested the new API with partners in early 2024.<ref name="abandoned" /> As of late 2024, WebView Media Integrity API is available to all developers.<ref>{{Cite web \|title=WebViewMediaIntegrityApiStatusConfig \|url=https://developer.android.com/reference/kotlin/androidx/webkit/WebViewMediaIntegrityApiStatusConfig \|access-date=2025-07-30 \|website=Android Developers \|language=en}}</ref> On July 21, 2023, Wiser and fellow Google engineer Yoav Weiss added a [[code of conduct]] to the explanation repository<ref>{{Cite web \|title=Create CODE_OF_CONDUCT.md · RupertBenWiser/Web-Environment-Integrity@7998217 \|url=https://github.com/RupertBenWiser/Web-Environment-Integrity/commit/7998217b3d7334a71c26c52aeeadc1c6b1ba1dc4 \|access-date=2023-08-19 \|website=GitHub \|language=en}}</ref> and locked it from receiving new comments, issues or pull requests.{{cn\|date=August 2023}} On the same day, preliminary code was added to Chromium to implement the standard. This also received a large amount of highly negative comments.<ref name=":1" /> == Reception == The proposal ~~has~~received ~~been~~widespread ~~widely criticized~~criticism for limiting general purpose computing, with some comparing WEI to [[digital rights management]] (DRM).<ref>{{Cite web \|last=Amadeo \|first=Ron \|date=2023-07-24 \|title=Google's nightmare "Web Integrity API" wants a DRM gatekeeper for the web \|url=https://arstechnica.com/gadgets/2023/07/googles-web-integrity-api-sounds-like-drm-for-the-web/ \|access-date=2023-07-26 \|website=[[Ars Technica]] \|language=en-us}}</ref><ref>{{Cite web \|last=Claburn \|first=Thomas \|title=Google Web Environment Integrity draft draws developer rage \|url=https://www.theregister.com/2023/07/25/google_web_environment_integrity/ \|access-date=2023-07-26 \|website=[[The Register]] \|language=en}}</ref> Others have accused the standard of being evidence of Google abusing ~~[[Google Chrome\|~~Chrome's]] near-[[monopoly]] of browser share.<ref name="register">{{Cite web \|last=Claburn \|first=Thomas \|date=2023-07-25 \|title=Google's ~~Web~~next ~~Environment~~big ~~Integrity~~idea ~~draft~~for ~~draws~~browser ~~developer~~security ~~rage~~looks like another freedom grab to some \|url=https://www.theregister.com/2023/07/25/google_web_environment_integrity/ \|access-date=2023-08-19 \|website=~~www.theregister.com~~[[The Register]] \|language=en}}</ref> Some have issued official statements on the matter in 2023: * On July 25, [[Mozilla]] opposed it, stating "Any browser, server, or publisher that implements common standards is automatically part of [[the Web]]{{nbsp}}... Mechanisms that attempt to restrict these choices are harmful to the openness of the Web ecosystem and are not good for users."<ref>{{Cite web \|title=Request for Position: Web Environment Integrity API · Issue #852 · mozilla/standards-positions \|url=https://github.com/mozilla/standards-positions/issues/852 \|access-date=2023-07-26 \|website=GitHub \|language=en}}</ref> * On July 27, [[Vivaldi Technologies\|Vivaldi]] opposed it as "simply dangerous" and feared that attestation providers would not be trustworthy.<ref>{{Cite web \|date=2023-07-25 \|title=Unpacking Google's new "dangerous" Web-Environment-Integrity specification \|url=https://vivaldi.com/blog/googles-new-dangerous-web-environment-integrity-spec/ \|access-date=2023-07-26 \|website=Vivaldi Browser \|language=en}}</ref> * On July 29, the [[Free Software Foundation]] opposed it as "an all-out attack on the free Internet" and claimed it would significantly limit the browsers that could be used.<ref>{{Cite web \|first=Greg\|last=Farough\|date=2023-07-28 \|title="Web Environment Integrity" is an all-out attack on the free Internet \|url=https://www.fsf.org/blogs/community/web-environment-integrity-is-an-all-out-attack-on-the-free-internet \|website=Free Software Foundation \|access-date=2023-07-28 \|language=en }}</ref> * On August 1, [[Brave (web browser)\|Brave Software]] announced they will not include WEI in their [[web browser]].<ref>{{Citation \|last=Snyder \|first=Peter \|title="Web Environment Integrity": Locking Down the Web \|date=2023-08-01 \|url=https://brave.com/web-standards-at-brave/9-web-environment-integrity/ \|access-date=2023-08-29 \|language=en \|mode=cs1}}</ref> * On August 7, the [[Electronic Frontier Foundation]] opposed it as "a bad idea that Google should not pursue" and opposed its proposal of selecting a "small percentage" of random users to simulate behavior without WEI in order to prevent websites from blocking unattested users. The EFF claimed that "[m]any websites will consider that ~~“small~~'small ~~percentage”~~percentage' of users an acceptable price to pay" and feared Google would set the percentage extremely low to combat [[ad fraud]].<ref>{{Cite web \|last1=Doctorow \|first1=Cory \|last2=Hoffman-Andrews \|first2=Jacob \|date=2023-08-07 \|title=Your Computer Should Say What You Tell It To Say \|url=https://www.eff.org/deeplinks/2023/08/your-computer-should-say-what-you-tell-it-say-1 \|access-date=2023-08-07 \|website=www.eff.org}}</ref> * On August 11, the [[World Wide Web Consortium]] refrained from taking a stance as it was "not being worked on in W3C, nor has there been any submission [for W3C] review".<ref>{{Cite web \|date=2023-08-11\|url=https://www.w3.org/blog/2023/web-environment-integrity-has-no-standing-at-w3c/\|title=Web Environment Integrity has no standing at W3C; understanding new W3C work\|access-date=2023-08-11\|website=www.w3.org}}</ref> Line 32 ⟶ 31: == External links == * {{GitHub\|~~RupertBenWiser~~explainers-by-googlers/Web-Environment-Integrity}} * [https://chromestatus.com/feature/5796524191121408 Web environment integrity API - Chrome Platform Status]