this post was submitted on 26 Jul 2023
820 points (99.2% liked)
DeGoogle Yourself
7743 readers
55 users here now
A community for those that would like to get away from Google.
Here you may post anything related to DeGoogling, why we should do it or good software alternatives!
Rules
-
Be respectful even in disagreement
-
No advertising unless it is very relevent and justified. Do not do this excessively.
-
No low value posts / memes. We or you need to learn, or discuss something.
Related communities
[email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
founded 4 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
To elaborate on why I'm saying a citation is needed: I read the entire proposal and specification myself, and I couldn't find evidence affirming the statement.
The Web Environment Integrity explainer document doesn't require, suggest, or mention script or DOM integrity status under what information is in the signed attestation. Neither does the draft specification, which is pretty devoid of details. The closest it comes to that kind of thing is only enabling the API within a secure context, which basically means "the page was served over HTTPS using a valid certificate".
That doesn't mean that WEI can't be used to enforce page integrity in an extremely roundabout way^1^, but lacking a citation showing that it directly does that, it needs to be explained to people who are out of the loop how it can do that.
^1^: One of the environment details sent to a website is a unique identifier for the browser. Blocking every browser except Android Chrome would limit the ability to use extensions to modify the website, since that browser doesn't support them.