Some months ago, Pablinux shared with us here a publication in which he explained to us in a fairly simple way about the Web Environment Integrity API, which he pleasantly describes in his article with DRM for the Web and throughout that time a large part of the web community criticized this API.
And it seems that now Google has listened to criticism from the community and has announced the news that has made the decision to stop promoting the Web Environment Integrity API, along with which it also removed its experimental implementation from the Chromium codebase and moved the spec repository to archive mode.
How are youl The attempt to implement the API in question raised concerns for a large part of the community, as many mentioned that if the API were implemented it could undermine the open nature of the Web and lead to greater dependence of users on individual providers, in addition to significantly limiting the ability to use alternative browsers and complicating the promotion of new browsers to the market . As a result, users could become dependent on officially released verified browsers, without which they would lose the ability to work with some large websites and services.
And although initially the idea of the API was not bad, as it was designed to give site owners the ability to ensure that the client's environment is reliable in terms of protecting user data, respecting property intellectual and interaction with a real person.
It was thought that the API could be used to filter traffic from bots when displaying advertising; combat automatically sent spam and increase ratings on social networks, Identify tampering when viewing protected content for copyright, combat cheaters and fake customers in online games, identify the creation of fictitious accounts by bots, counter password guessing attacks, phishing protection, implemented through malware that transmits results to real sites.
The new API could be useful in areas where a site needs to guarantee that there is a real person and a real device on the other side, and that the browser is not modified or infected with malware. The API is based on Play Integrity technology, already used on the Android platform to verify that the request is made from an unmodified application installed from the Google Play catalog and running on a genuine Android device.
To confirm the browser environment in which the loaded JavaScript code is executed, the Web Environment Integrit API proposed to use a special token issued by an external authenticator, which in turn could be linked by a chain of trust with integrity control mechanisms on the platform. The token was generated by sending a request to a third-party certification server, which, after performing certain checks, confirmed that the browser environment had not been modified. For authentication, EME extensions similar to those used in DRM were used to decode copyrighted media content.
The problem with the API is that it could become a problem in the short term, Since, as mentioned, its implementation significantly limits the ability to use alternative browsers and in short returns Chrome/Chromium to the only web browser with which users could work. (basically a monopoly).
Finally, it is mentioned that sand experiments continue on the Android platform with the implementation of a similar API To check the user's environment: WebView Media Integrity, which is positioned as an extension based on Google Mobile Services. It is stated that the WebView Media Integrity API will be limited to the WebView component and applications related to media content processing; For example, it can be used in WebView-based mobile applications for audio and video streaming. There are no plans to provide access to this API through a browser.
If you are interested in knowing more about it, you can check the details In the following link.