this post was submitted on 26 Jul 2023
839 points (99.2% liked)

DeGoogle Yourself

8807 readers
37 users here now

A community for those that would like to get away from Google.

Here you may post anything related to DeGoogling, why we should do it or good software alternatives!

Rules

  1. Be respectful even in disagreement

  2. No advertising unless it is very relevent and justified. Do not do this excessively.

  3. No low value posts / memes. We or you need to learn, or discuss something.

Related communities

!privacyguides@lemmy.one !privacy@lemmy.ml !privatelife@lemmy.ml !linuxphones@lemmy.ml !fossdroid@social.fossware.space !fdroid@lemmy.ml

founded 4 years ago
MODERATORS
CrypticCoffee@lemm.ee
CrypticCoffee@lemmy.ml
Byereddithellolemmy@lemmy.world
chevy9294@monero.town
839
Mozilla opposes Web Integrity API proposal (github.com)
submitted 1 year ago by CrypticCoffee@lemmy.ml to c/degoogle@lemmy.ml
82 comments fedilink hide all child comments
 

Mozilla's position on WEI is pretty solid.

you are viewing a single comment's thread
view the rest of the comments
[–] danieljoeblack@kbin.social 7 points 1 year ago (16 children)

I'm outta the loop on this whole situation, what's going on?

[–] RagingNerdoholic@lemmy.ca 35 points 1 year ago (12 children)

Web dev here. It enforces the original markup and code from a server to be the markup and code that the browser interprets and executes, preventing any post-loading modifications.

That sounds a bit dry, but the implications are huge. It means:

  • ad blockers won't work (the main reason for Google's ploy)
  • many, if not most, other browser extensions won't work (eg.: accessibility, theming, anti-malware)
  • people are going to start running into a lot of scam ads that ad blockers would otherwise prevent
  • malicious websites will be able to operate with impunity since you cannot run security extensions to prevent them
  • web developers are going to be crippled for lack of debugging ability

These are just a few things off the top of my head. There are endless and very dangerous implications to WEI. This is very, very bad for the web and antithesis of how it's supposed to be.

TBL is probably experiencing a sudden disturbance in the force.

[–] eth0p@iusearchlinux.fyi -3 points 1 year ago* (last edited 1 year ago) (7 children)

I'm not saying you're wrong or that Web Environment Integrity is a good thing, but a primary source and citation is needed for this statement:

It enforces the original markup and code from a server to be the markup and code that the browser interprets and executes, preventing any post-loading modifications.

[–] eth0p@iusearchlinux.fyi 1 points 1 year ago* (last edited 1 year ago)

To elaborate on why I'm saying a citation is needed: I read the entire proposal and specification myself, and I couldn't find evidence affirming the statement.

The Web Environment Integrity explainer document doesn't require, suggest, or mention script or DOM integrity status under what information is in the signed attestation. Neither does the draft specification, which is pretty devoid of details. The closest it comes to that kind of thing is only enabling the API within a secure context, which basically means "the page was served over HTTPS using a valid certificate".

That doesn't mean that WEI can't be used to enforce page integrity in an extremely roundabout way^1^, but lacking a citation showing that it directly does that, it needs to be explained to people who are out of the loop how it can do that.

^1^: One of the environment details sent to a website is a unique identifier for the browser. Blocking every browser except Android Chrome would limit the ability to use extensions to modify the website, since that browser doesn't support them.

load more comments (6 replies)
load more comments (10 replies)
load more comments (13 replies)