Request for Mozilla Position on an Emerging Web Specification Specification Title: Web Environment Integrity API Specification or proposal URL (if available): https://rupertbenwiser.github.io/Web-E...
To elaborate on why I’m saying a citation is needed: I read the entire proposal and specification myself, and I couldn’t find evidence affirming the statement.
The Web Environment Integrity explainer document doesn’t require, suggest, or mention script or DOM integrity status under what information is in the signed attestation. Neither does the draft specification, which is pretty devoid of details. The closest it comes to that kind of thing is only enabling the API within a secure context, which basically means “the page was served over HTTPS using a valid certificate”.
That doesn’t mean that WEI can’t be used to enforce page integrity in an extremely roundabout way1, but lacking a citation showing that it directly does that, it needs to be explained to people who are out of the loop how it can do that.
1: One of the environment details sent to a website is a unique identifier for the browser. Blocking every browser except Android Chrome would limit the ability to use extensions to modify the website, since that browser doesn’t support them.
To elaborate on why I’m saying a citation is needed: I read the entire proposal and specification myself, and I couldn’t find evidence affirming the statement.
The Web Environment Integrity explainer document doesn’t require, suggest, or mention script or DOM integrity status under what information is in the signed attestation. Neither does the draft specification, which is pretty devoid of details. The closest it comes to that kind of thing is only enabling the API within a secure context, which basically means “the page was served over HTTPS using a valid certificate”.
That doesn’t mean that WEI can’t be used to enforce page integrity in an extremely roundabout way1, but lacking a citation showing that it directly does that, it needs to be explained to people who are out of the loop how it can do that.
1: One of the environment details sent to a website is a unique identifier for the browser. Blocking every browser except Android Chrome would limit the ability to use extensions to modify the website, since that browser doesn’t support them.