zlacker

[return to "Unpacking Google’s Web Environment Integrity specification"]
1. wbobei+Hz1[view] [source] 2023-07-26 17:56:15
>>dagurp+(OP) 

    > Can we just refuse to implement it?
    > Unfortunately, it’s not that simple this time. Any browser choosing not to implement this would not be trusted and any website choosing to use this API could therefore reject users from those browsers. Google also has ways to drive adoptions by websites themselves.
This is true of any contentious browser feature. Choosing not to implement it means your users will sometimes be presented with a worse UX if a website's developers decide to require that feature.

But as a software creator, it's up to you to determine what is best for your customers. If your only hope of not going along with this is having the EU come in and slapping Google's wrist, I'm concerned that you aren't willing to take a hard stance on your own.

◧◩
2. lxgr+jC1[view] [source] 2023-07-26 18:05:20
>>wbobei+Hz1
What sets WEI apart is that it, in a way, exerts power over your choice on how to implement other web features, for example whether you're allowed to block elements, or even just show a developer console.

Other than Encrypted Media Extensions (and these are much more constrained than WEI!), I don't know of any other web standard that does that.

◧◩◪
3. wbobei+lF1[view] [source] 2023-07-26 18:16:13
>>lxgr+jC1
While it's a much lesser offense, many APIs are only available in "Secure Contexts", so it's not entirely a new concept https://webidl.spec.whatwg.org/#SecureContext
◧◩◪◨
4. lxgr+PF1[view] [source] 2023-07-26 18:18:03
>>wbobei+lF1
Getting a secure context costs $0 and takes no effort in many common webservers at this point.

I do remember the controversy at the time of everybody shifting to HTTPS only, though, and how it might exclude small/hobbyist sites. Fortunately, we've found ways to mitigate that friction in the end. I'm much less optimistic here.

◧◩◪◨⬒
5. mschus+JR1[view] [source] 2023-07-26 19:01:51
>>lxgr+PF1
The thing is, yes it was controversial at the time to enforce HTTPS, but on the other side I 'member pwning people with ARP spoof attacks (both to steal cookies and credentials as well as simply redirecting all images to porn) at my school already way over a decade ago, and all I had was a laptop, Wireshark, Metasploit and some other piece of open source software whose name I forgot. No ARP sponge and the internet uplink was 10/10 mbit anyway so it was easy to do that shit for the entire school. A year later someone packaged all that stuff into a single software even a complete dunderhead could use to prank and steal facebook sessions at will.

Basic reality and the easiness of attacks made it impossible to stick with HTTP for much longer. And hell if I watch Scammer Payback on Youtube, I'm beginning to think it might be a good idea to disable developer tools on browsers and to only unlock them if you can prove physical, un-remoteable access to a machine, similar to Apple's SIP.

◧◩◪◨⬒⬓
6. chrisw+0Z1[view] [source] 2023-07-26 19:31:12
>>mschus+JR1
> "I'm beginning to think it might be a good idea to disable developer tools on browsers and to only unlock them if you can prove..."

Strongest possible disagreement here.

[go to top]