Web Environment Integrity

Last updated

Web Environment Integrity (WEI) is an abandoned API proposal previously under development for Google Chrome. [1] A Web Environment Integrity prototype existed in Chromium, [2] [3] but was removed in November 2023 after extensive criticism by many tech groups. [4] Its purpose was to verify that interactions with websites were human and authentic as defined by third-party attesters.

Contents

Proposal

Sequence diagram showing WEI attestation Web Environment Integrity attestation - How it works.svg
Sequence diagram showing WEI attestation

The draft proposed an API for websites to get a digitally signed token that contains the certifier's name and whether or not they deem the web client to be authentic. The stated goal was for sites to be able to restrict access to human users instead of automated programs and "allow web servers to evaluate the authenticity of the device and honest representation of the software stack and the traffic from the device". Access to this API would not be allowed in non-secure (HTTP) contexts. [5]

History

The proposal first showed up as a commit to Chromium in April before being announced by its developers, Google engineers, in May. It received a few concerned comments from those who followed the browser's rendering engine's development. After discussion at W3C in late April, its working draft specification was published as part of the process to develop standards for the web on July 21, 2023. As a result, users flooded the proposal's GitHub repository with critical comments and flaming of the proposal's authors. As a result, the Google engineers limited comment to those who have contributed to the repository and added a code of conduct. [6] On the same day, Chromium's preliminary code to implement the standard was enabled. [2]

On November 2, 2023, Google abandoned the proposal, removed the prototype implementation from Chromium, and proposed a replacement API named "Android WebView Media Integrity API" limited to WebViews on Android. Google plans to start testing the new API with partners in early 2024. [4]

Reception

The proposal received widespread criticism for limiting general purpose computing, with some comparing WEI to digital rights management (DRM). [7] Others have accused the standard of being evidence of Google abusing Chrome's near-monopoly of browser share. [6] Some have issued official statements on the matter in 2023:

See also

Related Research Articles

In computing, the User-Agent header is an HTTP header intended to identify the user agent responsible for making a given HTTP request. Whereas the character sequence User-Agent comprises the name of the header itself, the header value that a given user agent uses to identify itself is colloquially known as its user agent string. The user agent for the operator of a computer used to access the Web has encoded within the rules that govern its behavior the knowledge of how to negotiate its half of a request-response transaction; the user agent thus plays the role of the client in a client–server system. Often considered useful in networks is the ability to identify and distinguish the software facilitating a network session. For this reason, the User-Agent HTTP header exists to identify the client software to the responding server.

Animated Portable Network Graphics (APNG) is a file format which extends the Portable Network Graphics (PNG) specification to permit animated images that work similarly to animated GIF files, while supporting 24 or 48-bit images and full alpha transparency not available for GIFs. It also retains backward compatibility with non-animated PNG files.

This is a comparison of both historical and current web browsers based on developer, engine, platform(s), releases, license, and cost.

A browser extension is a software module for customizing a web browser. Browsers typically allow users to install a variety of extensions, including user interface modifications, cookie management, ad blocking, and the custom scripting and styling of web pages.

<span class="mw-page-title-main">Google Chrome</span> Web browser developed by Google

Google Chrome is a web browser developed by Google. It was first released in 2008 for Microsoft Windows, built with free software components from Apple WebKit and Mozilla Firefox. Versions were later released for Linux, macOS, iOS, and also for Android, where it is the default browser. The browser is also the main component of ChromeOS, where it serves as the platform for web applications.

Google Native Client (NaCl) is a discontinued sandboxing technology for running either a subset of Intel x86, ARM, or MIPS native code, or a portable executable, in a sandbox. It allows safely running native code from a web browser, independent of the user operating system, allowing web apps to run at near-native speeds, which aligns with Google's plans for ChromeOS. It may also be used for securing browser plugins, and parts of other applications or full applications such as ZeroVM.

<span class="mw-page-title-main">Chromium (web browser)</span> Open-source web browser project

Chromium is a free and open-source web browser project, primarily developed and maintained by Google. It is a widely-used codebase, providing the vast majority of code for Google Chrome and many other browsers, including Microsoft Edge, Samsung Internet, and Opera. The code is also used by several app frameworks.

WebRTC is a free and open-source project providing web browsers and mobile applications with real-time communication (RTC) via application programming interfaces (APIs). It allows audio and video communication and streaming to work inside web pages by allowing direct peer-to-peer communication, eliminating the need to install plugins or download native apps.

Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. It is a Candidate Recommendation of the W3C working group on Web Application Security, widely supported by modern web browsers. CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website—covered types are JavaScript, CSS, HTML frames, web workers, fonts, images, embeddable objects such as Java applets, ActiveX, audio and video files, and other HTML5 features.

HTML audio is a subject of the HTML specification, incorporating audio input, playback, and synthesis, as well as speech to text, all in the browser.

Encrypted Media Extensions (EME) is a W3C specification for providing a communication channel between web browsers and the Content Decryption Module (CDM) software which implements digital rights management (DRM). This allows the use of HTML video to play back DRM-wrapped content such as streaming video services without the use of heavy third-party media plugins like Adobe Flash or Microsoft Silverlight. The use of a third-party key management system may be required, depending on whether the publisher chooses to scramble the keys.

A headless browser is a web browser without a graphical user interface.

Universal 2nd Factor (U2F) is an open standard that strengthens and simplifies two-factor authentication (2FA) using specialized Universal Serial Bus (USB) or near-field communication (NFC) devices based on similar security technology found in smart cards. It is succeeded by the FIDO2 Project, which includes the W3C Web Authentication (WebAuthn) standard and the FIDO Alliance's Client to Authenticator Protocol 2 (CTAP2).

<span class="mw-page-title-main">PhantomJS</span> Headless browser

PhantomJS is a discontinued headless browser used for automating web page interaction. PhantomJS provides a JavaScript API enabling automated navigation, screenshots, user behavior and assertions making it a common tool used to run browser-based unit tests in a headless system like a continuous integration environment. PhantomJS is based on WebKit making it a similar browsing environment to Safari and Google Chrome. It is open-source software released under the BSD License.

uBlock Origin Web browser extension

uBlock Origin is a free and open-source browser extension for content filtering, including ad blocking. The extension is available for Chrome, Chromium, Edge, Firefox, Brave, Opera, Pale Moon, as well as versions of Safari before 13. uBlock Origin has received praise from technology websites and is reported to be much less memory-intensive than other extensions with similar functionality. uBlock Origin's stated purpose is to give users the means to enforce their own (content-filtering) choices.

<span class="mw-page-title-main">WebAssembly</span> Cross-platform assembly language and bytecode designed for execution in web browsers

WebAssembly (Wasm) defines a portable binary-code format and a corresponding text format for executable programs as well as software interfaces for facilitating communication between such programs and their host environment.

WebXR Device API is a Web application programming interface (API) that describes support for accessing augmented reality and virtual reality devices, such as the HTC Vive, Oculus Rift, Oculus Quest, Google Cardboard, HoloLens, Apple Vision Pro, Magic Leap or Open Source Virtual Reality (OSVR), in a web browser. The WebXR Device API and related APIs are standards defined by W3C groups, the Immersive Web Community Group and Immersive Web Working Group. While the Community Group works on the proposals in the incubation period, the Working Group defines the final web specifications to be implemented by the browsers.

WebGPU is a JavaScript API provided by a web browser that enables webpage scripts to efficiently utilize a device's graphics processing unit (GPU). This is achieved with the underlying Vulkan, Metal, or Direct3D 12 system APIs. On relevant devices, WebGPU is intended to supersede the older WebGL standard.

Federated Learning of Cohorts (FLoC) is a type of web tracking. It groups people into "cohorts" based on their browsing history for the purpose of interest-based advertising. FLoC was being developed as a part of Google's Privacy Sandbox initiative, which includes several other advertising-related technologies with bird-themed names. Despite "federated learning" in the name, FLoC does not utilize any federated learning.

<span class="mw-page-title-main">Privacy Sandbox</span> Google initiative

The Privacy Sandbox is an initiative led by Google to create web standards for websites to access user information without compromising privacy. Its core purpose is to facilitate online advertising by sharing a subset of user private information without the use of third-party cookies. The initiative includes a number of proposals, many of these proposals have bird-themed names which are changed once the corresponding feature reaches general availability. The technology include Topics API, Protected Audience, Attribution Reporting, Private Aggregation, Shared Storage and Fenced Frames as well as other proposed technologies. The project was announced in August 2019.

References

  1. Amadeo, Ron (August 3, 2023). "Google's nightmare "Web Integrity API" wants a DRM gatekeeper for the web". Ars Technica . Retrieved August 3, 2023.
  2. 1 2 "[wei] Ensure Origin Trial enables full feature · chromium/chromium@6f47a22". GitHub. Retrieved August 19, 2023.
  3. "Feature: Web environment integrity API". Chrome Platform Status. May 9, 2023. Retrieved August 23, 2023.
  4. 1 2 Claburn, Thomas (November 2, 2023). "Google abandons Web Environment Integrity proposal". The Register . Retrieved November 10, 2023.
  5. "Web-Environment-Integrity/explainer.md at main · RupertBenWiser/Web-Environment-Integrity". GitHub. Retrieved July 26, 2023.
  6. 1 2 Claburn, Thomas (July 25, 2023). "Google's next big idea for browser security looks like another freedom grab to some". The Register . Retrieved August 19, 2023.
  7. Amadeo, Ron (July 24, 2023). "Google's nightmare "Web Integrity API" wants a DRM gatekeeper for the web". Ars Technica . Retrieved July 26, 2023.
  8. "Request for Position: Web Environment Integrity API · Issue #852 · mozilla/standards-positions". GitHub. Retrieved July 26, 2023.
  9. "Unpacking Google's new "dangerous" Web-Environment-Integrity specification". Vivaldi Browser. July 25, 2023. Retrieved July 26, 2023.
  10. Farough, Greg (July 28, 2023). ""Web Environment Integrity" is an all-out attack on the free Internet". Free Software Foundation. Retrieved July 28, 2023.
  11. Snyder, Peter (August 1, 2023). "Web Environment Integrity": Locking Down the Web . Retrieved August 29, 2023.
  12. Doctorow, Cory; Hoffman-Andrews, Jacob (August 7, 2023). "Your Computer Should Say What You Tell It To Say". www.eff.org. Retrieved August 7, 2023.
  13. "Web Environment Integrity has no standing at W3C; understanding new W3C work". www.w3.org. August 11, 2023. Retrieved August 11, 2023.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.