I’m hoping to get back to everyone as soon as possible. I hope you can all appreciate that I’m a human being and this has been a lot!
In the mean time, I wanted to repost my last comment on the GitHub issue thread [1]:
Hey all, we plan to respond to your feedback but I want to be thorough which will take time and it’s the end of a Friday for me. We wanted to give a quick TL;DR:
- This is an early proposal that is subject to change based on feedback.
- The primary goal is to combat user tracking by giving websites a way to maintain anti-abuse protections for their sites without resorting to invasive fingerprinting.
- It’s also an explicit goal to ensure that user agents can browse the web without this proposal [2]
- The proposal doesn’t involve detecting or blocking extensions, so ad-blockers and accessibility tools are out of scope.
- This is not DRM - WEI does not lock down content
- I’m giving everyone a heads up that I’m limiting comments to contributors over the weekend so that I can try to take a breath away from GitHub. I will reopen them after the weekend
[1] https://github.com/RupertBenWiser/Web-Environment-Integrity/...
[2] https://github.com/RupertBenWiser/Web-Environment-Integrity/...
Right, but there is a severe risk that you give the means to block non-mainstream clients, be it browsers, operating systems or devices, correct?
Yes, it's nice to know you may want to allow user agents to browse the web without WEI and I'm sure you have best intentions, but we are already in a world where banks and even stuff like Zoom just look at the user agent string and say "Ah, I don't know this browser, please install Chrome or Edge!". Why shouldn't they just similarly halt in the future if the WEI API does not exist? I (and the browser vendor) can spoof a user agent, but you can't spoof attestation, i.e. cannot fix it if websites don't allow my browser based on the (missing) WEI API. So, how will you prevent this?
How can you make sure that users of e.g. Asahi Linux will be able to use the web in the future? Who will attestate their browser based on what? How will e.g. Gentoo users use the web with their build-from-source browser and OS? Will e.g. Netflix continue to work reliably on a user agent without WEI (but with Widevine) - and will the holdback population (if holdback is implemented at all - no offense intended, but you didn't sound too confident about this on the blink-dev mailing list, tbh) be large and significant enough for them to not just say "eh, can't verify, use the app please or wait a bit"?