Web Environment Integrity

Last updated

Web Environment Integrity (WEI) is an abandoned API proposal previously under development for Google Chrome. [1] A Web Environment Integrity prototype existed in Chromium, [2] [3] but was removed in November 2023 after extensive criticism by many tech groups. [4] Its purpose was to verify that interactions with websites were human and authentic as defined by third-party attesters.

Contents

Proposal

Sequence diagram showing WEI attestation Web Environment Integrity attestation - How it works.svg
Sequence diagram showing WEI attestation

The draft proposed an API for websites to get a digitally signed token that contains the certifier's name and whether or not they deem the web client to be authentic. The stated goal was for sites to be able to restrict access to human users instead of automated programs and "allow web servers to evaluate the authenticity of the device and honest representation of the software stack and the traffic from the device". Access to this API would not be allowed in non-secure (HTTP) contexts. [5]

History

On April 25, 2023, Google engineers, Ben Wiser, Borbala Benko, Philipp Pfeiffenberger and Sergey Kataev created a GitHub repository explaining the details of the proposal. [6] The proposal was flamed by GitHub users, with numerous comments, issues and pull requests voicing strong opposition to the existence of the standard and arguing for its deletion.

On July 21, 2023, Wiser and fellow Google engineer Yoav Weiss added a code of conduct to the explanation repository [7] and locked it from receiving new comments, issues or pull requests.[ citation needed ] On the same day, preliminary code was added to Chromium to implement the standard. This also received a large amount of highly negative comments. [2]

On November 2, 2023, Google abandoned the proposal, removed the prototype implementation from Chromium, and proposed a replacement API named "Android WebView Media Integrity API" limited to WebViews on Android. Google plans to start testing the new API with partners in early 2024. [4]

Reception

The proposal received widespread criticism for limiting general purpose computing, with some comparing WEI to digital rights management (DRM). [8] Others have accused the standard of being evidence of Google abusing Chrome's near-monopoly of browser share. [9] Some have issued official statements on the matter in 2023:

See also

Related Research Articles

A browser extension is a software module for customizing a web browser. Browsers typically allow users to install a variety of extensions, including user interface modifications, cookie management, ad blocking, and the custom scripting and styling of web pages.

<span class="mw-page-title-main">HTML5</span> Fifth and previous version of HyperText Markup Language

HTML5 is a markup language used for structuring and presenting hypertext documents on the World Wide Web. It was the fifth and final major HTML version that is now a retired World Wide Web Consortium (W3C) recommendation. The current specification is known as the HTML Living Standard. It is maintained by the Web Hypertext Application Technology Working Group (WHATWG), a consortium of the major browser vendors.

<span class="mw-page-title-main">Google Chrome</span> Web browser developed by Google

Google Chrome is a web browser developed by Google. It was first released in 2008 for Microsoft Windows, built with free software components from Apple WebKit and Mozilla Firefox. Versions were later released for Linux, macOS, iOS, and also for Android, where it is the default browser. The browser is also the main component of ChromeOS, where it serves as the platform for web applications.

Google Native Client (NaCl) is a discontinued sandboxing technology for running either a subset of Intel x86, ARM, or MIPS native code, or a portable executable, in a sandbox. It allows safely running native code from a web browser, independent of the user operating system, allowing web apps to run at near-native speeds, which aligns with Google's plans for ChromeOS. It may also be used for securing browser plugins, and parts of other applications or full applications such as ZeroVM.

<span class="mw-page-title-main">Chromium (web browser)</span> Open-source web browser project

Chromium is a free and open-source web browser project, primarily developed and maintained by Google. It is a widely-used codebase, providing the vast majority of code for Google Chrome and many other browsers, including Microsoft Edge, Samsung Internet, and Opera. The code is also used by several app frameworks.

HTML video is a subject of the HTML specification as the standard way of playing video via the web. Introduced in HTML5, it is designed to partially replace the object element and the previous de facto standard of using the proprietary Adobe Flash plugin, though early adoption was hampered by lack of agreement as to which video coding formats and audio coding formats should be supported in web browsers. As of 2020, HTML video is the only widely supported video playback technology in modern browsers, with the Flash plugin being phased out.

Web SQL Database is a deprecated web browser API specification for storing data in databases that can be queried using SQL variant. The technology was only ever implemented in Blink-based browsers like Google Chrome and the new Microsoft Edge, and WebKit-based browsers like Safari. As of February 2024, WebSQL is being phased out in favor of WebStorage and IndexedDB and OPFS, but still available in some contexts under restrictive conditions.

Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. It is a Candidate Recommendation of the W3C working group on Web Application Security, widely supported by modern web browsers. CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website—covered types are JavaScript, CSS, HTML frames, web workers, fonts, images, embeddable objects such as Java applets, ActiveX, audio and video files, and other HTML5 features.

HTML audio is a subject of the HTML specification, incorporating audio input, playback, and synthesis, all in the browser.

<span class="mw-page-title-main">Chromium Embedded Framework</span> Free and open-source software framework

The Chromium Embedded Framework (CEF) is an open-source software framework for embedding a Chromium web browser within another application. This enables developers to add web browsing functionality to their application, as well as the ability to use HTML, CSS, and JavaScript to create the application's user interface.

Encrypted Media Extensions (EME) is a W3C specification for providing a communication channel between web browsers and the Content Decryption Module (CDM) software which implements digital rights management (DRM). This allows the use of HTML video to play back DRM-wrapped content such as streaming video services without the use of heavy third-party media plugins like Adobe Flash or Microsoft Silverlight. The use of a third-party key management system may be required, depending on whether the publisher chooses to scramble the keys.

A headless browser is a web browser without a graphical user interface.

uBlock Origin Web browser extension

uBlock Origin is a free and open-source browser extension for content filtering, including ad blocking. The extension is available for Chrome, Chromium, Edge, Firefox, Brave, Opera, Pale Moon, as well as versions of Safari before 13. uBlock Origin has received praise from technology websites and is reported to be much less memory-intensive than other extensions with similar functionality. uBlock Origin's stated purpose is to give users the means to enforce their own (content-filtering) choices.

<span class="mw-page-title-main">WebAssembly</span> Cross-platform assembly language and bytecode designed for execution in web browsers

WebAssembly defines a portable binary-code format and a corresponding text format for executable programs as well as software interfaces for facilitating interactions between such programs and their host environment.

WebXR Device API is a Web application programming interface (API) that describes support for accessing augmented reality and virtual reality devices, such as the HTC Vive, Oculus Rift, Oculus Quest, Google Cardboard, HoloLens, Apple Vision Pro, Magic Leap or Open Source Virtual Reality (OSVR), in a web browser. The WebXR Device API and related APIs are standards defined by W3C groups, the Immersive Web Community Group and Immersive Web Working Group. While the Community Group works on the proposals in the incubation period, the Working Group defines the final web specifications to be implemented by the browsers.

WebGPU is a JavaScript API provided by a web browser that enables webpage scripts to efficiently utilize a device's graphics processing unit (GPU). This is achieved with the underlying Vulkan, Metal, or Direct3D 12 system APIs. On relevant devices, WebGPU is intended to supersede the older WebGL standard.

ungoogled-chromium is a free and open-source variant of the Chromium web browser that removes all Google-specific web services. It achieves this with a series of patches applied to the Chromium codebase during the compilation process. The result is functionally similar to regular Chromium.

Federated Learning of Cohorts (FLoC) is a type of web tracking. It groups people into "cohorts" based on their browsing history for the purpose of interest-based advertising. FLoC was being developed as a part of Google's Privacy Sandbox initiative, which includes several other advertising-related technologies with bird-themed names. Despite "federated learning" in the name, FLoC does not utilize any federated learning.

<span class="mw-page-title-main">Privacy Sandbox</span> Google initiative

The Privacy Sandbox is an initiative led by Google to create web standards for websites to access user information without compromising privacy. Its core purpose is to facilitate online advertising by sharing a subset of user private information without the use of third-party cookies. The initiative includes a number of proposals, many of these proposals have bird-themed names which are changed once the corresponding feature reaches general availability. The technology include Topics API, Protected Audience, Attribution Reporting, Private Aggregation, Shared Storage and Fenced Frames as well as other proposed technologies. The project was announced in August 2019.

The W3C Technical Architecture Group (TAG) is a special working group within the World Wide Web Consortium (W3C) created in 2001 to:

References

  1. Amadeo, Ron (August 3, 2023). "Google's nightmare "Web Integrity API" wants a DRM gatekeeper for the web". Ars Technica . Retrieved August 3, 2023.
  2. 1 2 "[wei] Ensure Origin Trial enables full feature · chromium/chromium@6f47a22". GitHub. Retrieved August 19, 2023.
  3. "Feature: Web environment integrity API". Chrome Platform Status. May 9, 2023. Retrieved August 23, 2023.
  4. 1 2 Claburn, Thomas (November 2, 2023). "Google abandons Web Environment Integrity proposal". The Register . Retrieved November 10, 2023.
  5. "Web-Environment-Integrity/explainer.md at main · RupertBenWiser/Web-Environment-Integrity". GitHub. Retrieved July 26, 2023.
  6. Wiser, Ben (August 18, 2023), Web Environment Integrity API , retrieved August 19, 2023
  7. "Create CODE_OF_CONDUCT.md · RupertBenWiser/Web-Environment-Integrity@7998217". GitHub. Retrieved August 19, 2023.
  8. Amadeo, Ron (July 24, 2023). "Google's nightmare "Web Integrity API" wants a DRM gatekeeper for the web". Ars Technica . Retrieved July 26, 2023.
  9. Claburn, Thomas. "Google Web Environment Integrity draft draws developer rage". The Register . Retrieved August 19, 2023.
  10. "Request for Position: Web Environment Integrity API · Issue #852 · mozilla/standards-positions". GitHub. Retrieved July 26, 2023.
  11. "Unpacking Google's new "dangerous" Web-Environment-Integrity specification". Vivaldi Browser. July 25, 2023. Retrieved July 26, 2023.
  12. Farough, Greg (July 28, 2023). ""Web Environment Integrity" is an all-out attack on the free Internet". Free Software Foundation. Retrieved July 28, 2023.
  13. Snyder, Peter (August 1, 2023). "Web Environment Integrity": Locking Down the Web . Retrieved August 29, 2023.
  14. Doctorow, Cory; Hoffman-Andrews, Jacob (August 7, 2023). "Your Computer Should Say What You Tell It To Say". www.eff.org. Retrieved August 7, 2023.
  15. "Web Environment Integrity has no standing at W3C; understanding new W3C work". www.w3.org. August 11, 2023. Retrieved August 11, 2023.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.