Request for Mozilla Position on an Emerging Web Specification Specification Title: Web Environment Integrity API Specification or proposal URL (if available): https://rupertbenwiser.github.io/Web-E...
To elaborate on why I’m saying a citation is needed: I read the entire proposal and specification myself, and I could not find evidence to support the claim being made.
The Web Environment Integrity explainer document does not require, suggest, or mention script or DOM integrity status under what information is in the signed attestation. Neither does the draft specification, which is pretty devoid of details. The closest it comes to that kind of thing is only enabling the API within a secure context, which basically means “the page was served over HTTPS using a valid certificate”.
That doesn’t mean that WEI can’t be used to enforce page integrity in an extremely roundabout way1, but lacking evidence demonstrating that the specification explicitly provides that capability in a direct way or suggests that it is intended to be used for that purpose, it’s incorrect to state—under no uncertain terms—that it is meant to do that.
1: One of the environment details sent to a website is a unique identifier for the browser. Blocking every browser except Android Chrome would limit the ability to use extensions to modify the website, since that browser doesn’t support them. It still would not prevent devtools over ADB, though.
To elaborate on why I’m saying a citation is needed: I read the entire proposal and specification myself, and I could not find evidence to support the claim being made.
The Web Environment Integrity explainer document does not require, suggest, or mention script or DOM integrity status under what information is in the signed attestation. Neither does the draft specification, which is pretty devoid of details. The closest it comes to that kind of thing is only enabling the API within a secure context, which basically means “the page was served over HTTPS using a valid certificate”.
That doesn’t mean that WEI can’t be used to enforce page integrity in an extremely roundabout way1, but lacking evidence demonstrating that the specification explicitly provides that capability in a direct way or suggests that it is intended to be used for that purpose, it’s incorrect to state—under no uncertain terms—that it is meant to do that.
1: One of the environment details sent to a website is a unique identifier for the browser. Blocking every browser except Android Chrome would limit the ability to use extensions to modify the website, since that browser doesn’t support them. It still would not prevent devtools over ADB, though.