Web Environment Integrity

Last updated

Web Environment Integrity (WEI) is an abandoned API proposal previously under development for Google Chrome. [1] A Web Environment Integrity prototype existed in Chromium, [2] [3] but was removed in November 2023 after extensive criticism by many tech groups. [4] Its purpose was to verify that interactions with websites were human and 'authentic', as defined by third-party 'attesters'.

Contents

Proposal

Sequence diagram showing WEI attestation Web Environment Integrity attestation - How it works.svg
Sequence diagram showing WEI attestation

The draft proposed an API for websites to get a digitally signed token that contains the certifier's name and whether or not they deem the web client to be authentic. The stated goal was for sites to be able to restrict access to human users instead of automated programs and "allow web servers to evaluate the authenticity of the device and honest representation of the software stack and the traffic from the device". Access to this API would not be allowed in non-secure (HTTP) contexts. [5]

History

On April 25, 2023, Google engineers, Ben Wiser, Borbala Benko, Philipp Pfeiffenberger and Sergey Kataev created a GitHub repository explaining the details of the proposal. [6] The proposal was flamed by GitHub users, with numerous comments, issues and pull requests voicing strong opposition to the existence of the standard and arguing for its deletion.

On July 21, 2023, Wiser and fellow Google engineer Yoav Weiss added a code of conduct to the explanation repository [7] and locked it from receiving new comments, issues or pull requests.[ citation needed ] On the same day, preliminary code was added to Chromium to implement the standard. This also received a large amount of highly negative comments. [2]

On November 2, 2023, Google abandoned the proposal, removed the prototype implementation from Chromium, and proposed a replacement API named "Android WebView Media Integrity API" limited to WebViews on Android. Google plans to start testing the new API with partners in early 2024. [4]

Reception

The proposal received widespread criticism for limiting general purpose computing, with some comparing WEI to digital rights management (DRM). [8] Others have accused the standard of being evidence of Google abusing Chrome's near-monopoly of browser share. [9] Some have issued official statements on the matter in 2023:

See also

Related Research Articles

<span class="mw-page-title-main">KHTML</span> Discontinued web browser engine

KHTML is a discontinued browser engine that was developed by the KDE project. It originated as the engine of the Konqueror browser in the late 1990s, but active development ceased in 2016. It was officially discontinued in 2023.

A browser extension is a software module for customizing a web browser. Browsers typically allow users to install a variety of extensions, including user interface modifications, cookie management, ad blocking, and the custom scripting and styling of web pages.

<span class="mw-page-title-main">HTML5</span> Fifth and previous version of hypertext markup language

HTML5 is a markup language used for structuring and presenting hypertext documents on the World Wide Web. It was the fifth and final major HTML version that is now a retired World Wide Web Consortium (W3C) recommendation. The current specification is known as the HTML Living Standard. It is maintained by the Web Hypertext Application Technology Working Group (WHATWG), a consortium of the major browser vendors.

<span class="mw-page-title-main">OpenSocial</span> Public specification aimed at social networking applications

OpenSocial is a public specification that outlines a set of common application programming interfaces (APIs) for web applications. Initially designed for social network applications, it was developed collaboratively by Google, MySpace and other social networks. It has since evolved into a runtime environment that allows third-party components, regardless of their trust level, to operate within an existing web application.

<span class="mw-page-title-main">Google Chrome</span> Web browser developed by Google

Google Chrome is a web browser developed by Google. It was first released in 2008 for Microsoft Windows, built with free software components from Apple WebKit and Mozilla Firefox. Versions were later released for Linux, macOS, iOS, and also for Android, where it is the default browser. The browser is also the main component of ChromeOS, where it serves as the platform for web applications.

Google Native Client (NaCl) is a discontinued sandboxing technology for running either a subset of Intel x86, ARM, or MIPS native code, or a portable executable, in a sandbox. It allows safely running native code from a web browser, independent of the user operating system, allowing web apps to run at near-native speeds, which aligns with Google's plans for ChromeOS. It may also be used for securing browser plugins, and parts of other applications or full applications such as ZeroVM.

<span class="mw-page-title-main">Chromium (web browser)</span> Open-source web browser project

Chromium is a free and open-source web browser project, primarily developed and maintained by Google. It is a widely-used codebase, providing the vast majority of code for Google Chrome and many other browsers, including Microsoft Edge, Samsung Internet, and Opera. The code is also used by several app frameworks.

The HTML5 specification introduced the video element for the purpose of playing videos, partially replacing the object element. HTML5 video is intended by its creators to become the new standard way to show video on the web, instead of the previous de facto standard of using the proprietary Adobe Flash plugin, though early adoption was hampered by lack of agreement as to which video coding formats and audio coding formats should be supported in web browsers. As of 2020, HTML5 video is the only widely supported video playback technology in modern browsers, with the Flash plugin being phased out.

Web SQL Database is a deprecated web browser API specification for storing data in databases that can be queried using SQL variant. The technology was only ever implemented in Blink-based browsers like Google Chrome and the new Microsoft Edge, and WebKit-based browsers like Safari. As of February 2024, WebSQL is being phased out in favor of WebStorage and IndexedDB and OPFS, but still available in some contexts under restrictive conditions.

Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. It is a Candidate Recommendation of the W3C working group on Web Application Security, widely supported by modern web browsers. CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website—covered types are JavaScript, CSS, HTML frames, web workers, fonts, images, embeddable objects such as Java applets, ActiveX, audio and video files, and other HTML5 features.

HTML5 Audio is a subject of the HTML5 specification, incorporating audio input, playback, and synthesis, as well as in the browser. iOS

<span class="mw-page-title-main">Chromium Embedded Framework</span> Free and open-source software framework

The Chromium Embedded Framework (CEF) is an open-source software framework for embedding a Chromium web browser within another application. This enables developers to add web browsing functionality to their application, as well as the ability to use HTML, CSS, and JavaScript to create the application's user interface.

Encrypted Media Extensions (EME) is a W3C specification for providing a communication channel between web browsers and the Content Decryption Module (CDM) software which implements digital rights management (DRM). This allows the use of HTML5 video to play back DRM-wrapped content such as streaming video services without the use of heavy third-party media plugins like Adobe Flash or Microsoft Silverlight. The use of a third-party key management system may be required, depending on whether the publisher chooses to scramble the keys.

A headless browser is a web browser without a graphical user interface.

<span class="mw-page-title-main">WebAssembly</span> Cross-platform assembly language and bytecode designed for execution in web browsers

WebAssembly defines a portable binary-code format and a corresponding text format for executable programs as well as software interfaces for facilitating interactions between such programs and their host environment.

WebXR Device API is a Web application programming interface (API) that describes support for accessing augmented reality and virtual reality devices, such as the HTC Vive, Oculus Rift, Oculus Quest, Google Cardboard, HoloLens, Apple Vision Pro, Magic Leap or Open Source Virtual Reality (OSVR), in a web browser. The WebXR Device API and related APIs are standards defined by W3C groups, the Immersive Web Community Group and Immersive Web Working Group. While the Community Group works on the proposals in the incubation period, the Working Group defines the final web specifications to be implemented by the browsers.

WebGPU is the working name for a potential web standard and JavaScript API for accelerated graphics and compute, aiming to provide "modern 3D graphics and computation capabilities". It is developed by the W3C GPU for the Web Community Group with engineers from Apple, Mozilla, Microsoft, Google, and others.

Federated Learning of Cohorts (FLoC) is a type of web tracking. It groups people into "cohorts" based on their browsing history for the purpose of interest-based advertising. FLoC was being developed as a part of Google's Privacy Sandbox initiative, which includes several other advertising-related technologies with bird-themed names. Despite "federated learning" in the name, FLoC does not utilize any federated learning.

<span class="mw-page-title-main">Privacy Sandbox</span> Google initiative to create web standards for advertising without the use of third-party cookies

The Privacy Sandbox is an initiative led by Google to create web standards for websites to access user information without compromising privacy. Its core purpose is to facilitate online advertising by sharing a subset of user private information without the use of third-party cookies. The initiative includes a number of proposals, many of these proposals have bird-themed names which are changed once the corresponding feature reaches general availability. The technology include Topics API, Protected Audience, Attribution Reporting, Private Aggregation, Shared Storage and Fenced Frames as well as other proposed technologies. The project was announced in August 2019.

The W3C Technical Architecture Group (TAG) is a special working group within the World Wide Web Consortium (W3C) created in 2001 to:

References

  1. Amadeo, Ron (August 3, 2023). "Google's nightmare "Web Integrity API" wants a DRM gatekeeper for the web". Ars Technica . Retrieved August 3, 2023.
  2. 1 2 "[wei] Ensure Origin Trial enables full feature · chromium/chromium@6f47a22". GitHub. Retrieved August 19, 2023.
  3. "Feature: Web environment integrity API". Chrome Platform Status. May 9, 2023. Retrieved August 23, 2023.
  4. 1 2 Claburn, Thomas (November 2, 2023). "Google abandons Web Environment Integrity proposal". The Register . Retrieved November 10, 2023.
  5. "Web-Environment-Integrity/explainer.md at main · RupertBenWiser/Web-Environment-Integrity". GitHub. Retrieved July 26, 2023.
  6. Wiser, Ben (August 18, 2023), Web Environment Integrity API , retrieved August 19, 2023
  7. "Create CODE_OF_CONDUCT.md · RupertBenWiser/Web-Environment-Integrity@7998217". GitHub. Retrieved August 19, 2023.
  8. Amadeo, Ron (July 24, 2023). "Google's nightmare "Web Integrity API" wants a DRM gatekeeper for the web". Ars Technica . Retrieved July 26, 2023.
  9. Claburn, Thomas. "Google Web Environment Integrity draft draws developer rage". The Register . Retrieved August 19, 2023.
  10. "Request for Position: Web Environment Integrity API · Issue #852 · mozilla/standards-positions". GitHub. Retrieved July 26, 2023.
  11. "Unpacking Google's new "dangerous" Web-Environment-Integrity specification". Vivaldi Browser. July 25, 2023. Retrieved July 26, 2023.
  12. Farough, Greg (July 28, 2023). ""Web Environment Integrity" is an all-out attack on the free Internet". Free Software Foundation. Retrieved July 28, 2023.
  13. Snyder, Peter (August 1, 2023). "Web Environment Integrity": Locking Down the Web . Retrieved August 29, 2023.
  14. Doctorow, Cory; Hoffman-Andrews, Jacob (August 7, 2023). "Your Computer Should Say What You Tell It To Say". www.eff.org. Retrieved August 7, 2023.
  15. "Web Environment Integrity has no standing at W3C; understanding new W3C work". www.w3.org. August 11, 2023. Retrieved August 11, 2023.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.