Ben here, one of the co-chairs for the WebView CG. Super chuffed to see this pop up on hackernews today!
For a little context, our group is currently focusing our efforts this year on improving WebView compatibility data. The project is still very young and we’ll keep chipping away at it but please feel free to reach out and engage! You can find the repository here:
https://github.com/WebView-CG/Compatibility-Data-Project/tre...
Looks super cool! Clearly an idea that people want - I built something similar to this almost two year ago [1] but your project is a lot more fleshed out. I like that you actually used websockets instead of my hacky approach of using an http stream.
I’m hoping to get back to everyone as soon as possible. I hope you can all appreciate that I’m a human being and this has been a lot!
In the mean time, I wanted to repost my last comment on the GitHub issue thread [1]:
Hey all, we plan to respond to your feedback but I want to be thorough which will take time and it’s the end of a Friday for me. We wanted to give a quick TL;DR:
- This is an early proposal that is subject to change based on feedback.
- The primary goal is to combat user tracking by giving websites a way to maintain anti-abuse protections for their sites without resorting to invasive fingerprinting.
- It’s also an explicit goal to ensure that user agents can browse the web without this proposal [2]
- The proposal doesn’t involve detecting or blocking extensions, so ad-blockers and accessibility tools are out of scope.
- This is not DRM - WEI does not lock down content
- I’m giving everyone a heads up that I’m limiting comments to contributors over the weekend so that I can try to take a breath away from GitHub. I will reopen them after the weekend
> This is not DRM - WEI does not lock down content
Right, but there is a severe risk that you give the means to block non-mainstream clients, be it browsers, operating systems or devices, correct?
Yes, it's nice to know you may want to allow user agents to browse the web without WEI and I'm sure you have best intentions, but we are already in a world where banks and even stuff like Zoom just look at the user agent string and say "Ah, I don't know this browser, please install Chrome or Edge!". Why shouldn't they just similarly halt in the future if the WEI API does not exist? I (and the browser vendor) can spoof a user agent, but you can't spoof attestation, i.e. cannot fix it if websites don't allow my browser based on the (missing) WEI API. So, how will you prevent this?
How can you make sure that users of e.g. Asahi Linux will be able to use the web in the future? Who will attestate their browser based on what? How will e.g. Gentoo users use the web with their build-from-source browser and OS? Will e.g. Netflix continue to work reliably on a user agent without WEI (but with Widevine) - and will the holdback population (if holdback is implemented at all - no offense intended, but you didn't sound too confident about this on the blink-dev mailing list, tbh) be large and significant enough for them to not just say "eh, can't verify, use the app please or wait a bit"?
> It’s also an explicit goal to ensure that user agents can browse the web without this proposal
How, in an information theory sense, can you stop website operators from using this attestation information to block subsets of users? The "holdback" mentioned in your reference link seems like an optional thing, as if we're concerned about good faith actors rather than the opposite.
It would be nice if the spec included examples of how a hypothetical bad actor couldn't abuse the spec to block non-attestors. i.e. How do we stop "this website only works in Chrome on Windows" but for attestation? Right now, it's trivial to "fix" because we can lie about our environment (it's likely just reading our User-Agent) and it's unlikely that the website will actually not work in other OS/browser contexts.
Some websites really do only work in certain contexts, but I think critics' concern is what happens when the website would work perfectly fine, but it refuses to. I think this is largely the same concerns people have with mobile app permissions, but those can be gatekeeped by mobile app stores who can enforce political goals such as "You can't ask for permissions you don't need and refuse to work when you don't get them", websites have no such constraints.
What's to stop websites from blocking random users now? Nothing, really. But we don't have to bypass any cryptographic attestations in order to try to work around those blocks. This spec seeks to stop that.
It's complex and nuanced, all about altering probabilities of various bad things and TBH work still needs to be done to prove a useful middle ground even exists.
But one thing I can say for sure is there's no way I'm approving Chrome adding a feature which makes it possible for websites to be viewed only in Chrome. Nobody wants that and it's listed as an explicit anti-goal of the feature. Chrome couldn't have existed in the first place without masquerading as Safari, who masqueraded as Netscape etc.., this is something we're all very aware of and committed to in Chrome as its core to the openness of the web.
I suspect you didn’t just forget. It would look good to at least explain why you’re not following through on this, as it’s now Thursday in parts of the world.
In much the same vein as something clearly profoundly hurt you and you want to ruin the web out of spite, I root for global warming because it will destroy all the infrastructure on which you wish to take a giant dump.
> giving websites a way to maintain anti-abuse protections for their sites without resorting to invasive fingerprinting.
What prevents a website from using invasive fingerprinting _AND_ WEI together? I strongly suspect websites will end up using both WEI and invasive fingerprinting because:
1. Websites will want to use invasive fingerprinting on old browsers and it would work within browsers that deliberately don't implement WEI.
2. Websites will want to get as much invasive fingerprinting information as they can get their hands on.
3. It is another layer of fingerprinting in the likely event that WEI is ineffective due to TPM exploits[1], operating system/driver exploits, web browser exploits, determined actors using rooms of computer display recording devices and robotic arm mouse movers, etc. Invasive fingerprinting further increases the cost and complexity to actors the website is trying to block.
> This is not DRM - WEI does not lock down content
It is absolutely 100% DRM. Your proposal states that devices would need to attest their configuration to the website. The website can then block the user because it doesn't want to show the news article to a Linux device where the user can block annoying pop-up ad videos, copy and paste the text or save the web page. The website can instead only allow devices which are factory-configured to block copy+paste, block saving web pages, block screenshots, etc. It's still DRM even with the proposed holdback mechanism because in the best case, a user will still be blocked 9/10 times (or whatever the holdback mechanism is set to). The more likely scenario is a website owner will just refuse to serve content until the client has attested itself. "The requested page can not be provided due to an unexpected problem. Try again in a few minutes."
There are so many flaws with the scheme as currently proposed I feel I could write for days:
Will websites be expected to block and ban users of AMD-SP now that it is broken[1]? Or will whoever conducts ad fraud just buy all the AMD-SP devices they can get their hands on?
As another author replied, are Gentoo users that compile their web browsers and operating systems from scratch just ignored, and the proposal pretends it won't impact these users?
How does the proposal allow users with specialist accessibility software to browse the web without being blocked for being a minority group that is not economically worth website owner's time to support? What prevents abuse of said specialist accessibility software for other purposes?
How would a new start-up developing a competing browser or phone from scratch, and are very much unknown and in a minority position, be able to convince millions of website owners to unblock/allow their new browser or phone? Cloudflare's Friendly Bots program refuses to respond to open source projects, so why would Cloudflare as an implementer of WEI care about new start-ups or small open source software projects?
(I'm assuming by football you mean American football)
It's not really a fair comparison. The NFL is a monopoly, so there is no way for athletes to vote with their feet. At various times in the past, in order to negotiate the NFLPA has had to decertify in order to sue the league.
The NFL is also not a good proxy, because the average career for an NFL player is 2-3 years, and it is a physically dangerous job.
Soccer does have a pretty big difference though: it isn't particularly dangerous and there are players that participate for a decade and more. That's also why it's not as centralized... Players aren't quiet as endangered when entering, so they're likely more willing to participate in games with smaller payouts.
I would argue that we're overvaluing the level of danger here. All athletes risk their entire career being cut short due to injury. What the European footballing system does (by not being franchised) is allow there to be multiple levels below the "top" level which then justifies the number of children trained in the game so there are careers (of varying degrees of profitability) for many of them.
However what we are discussing is rather the levels of money at the top of such an industry and that concept applies to both sports. Where Ronaldo can earn £25m in a year at Manchester United while still having his "dream job". Football in Europe since the Bosman ruling has allowed its players to share in the wealth of the industry; one could argue that programmers in the gaming industry are not afforded that same. It remains an interesting discussion as to exactly why that is and I think the risks that workers take are not as relevant to the amount of money available in the game and scarcity of the best employees available; which results in such inflationary salaries for the very best employees.
It's true of association football (soccer) as well, and that's much less cartel-ised. The players have successfully extracted such a high proportion of the surplus that the returns for the club owners as a group are negative.
> Just look at how successful football players were in getting a slice of the pie. I’d still consider that a dream job.
In this case they are the product, and there are a lot of customers. Plenty of people working on the things that make those players valuable, building and staffing stadiums, and filming and broadcasting events worldwide, that don't get a share. Because they aren't the product.
> College football gets big ratings every year with replaced players.
We're talking about professionals. If the Chiefs could replace Patrick Mahomes and save themselves $450,000,000 without impacting their business, they would.
Lucrative for a select portion of games. Like music or acting, video game is a winner-take-all marketplace (or rather, winner take most). The typical video game developer outside a well-known studio is working long hours for comparatively little pay because it's very likely the game is not going to make very many sales and there's plenty of passionate people willing to make sacrifices to work on video games.
As other commenters pointed out, it's not like playing in the NFL. It's more like being a high school football player trying to get into the NFL. Or an actor trying to get a part in a Hollywood movie. The chances of a company becoming lucrative off games is slim.
Aren't the well-known studios also pretty big and the products they make absolutely humongous in simply the man hours? So even then there isn't that much to pay per employee.
There is some outliers, but simply most games either are not popular or even if they are they also take huge amount of labour to develop.
Not that successful, assuming you're talking about American football. The players as a whole get a bit less than half of all revenue coming in despite being the ones to actually, you know, play the game.
That sounds a lot more successful than most other industries. I don't think software engineers, or retail employees are getting half of the business' revenue. That sounds like a pro union example.
Well, they (and the others) should be getting even less. States or cities subsidizing stadiums isn't as beneficial as originally thought. Those making obscene amounts of money from a public resource should probably contribute more to the infrastructure required to make that money.
With the added ingredient that fans follow players for a mixture of ability and personal brand. In that sense, it shares some similarities to acting. Names act as box office draws in ways that aren't purely about acting talent.
If a product makes a boatload of money how is it fair to the business to force them to pay more. What if the game instead went over budget and flopped? Should the workers now owe money to the company? Businesses that can figure out how to make the most money with the resources available to them deserve to make that money and it's unfair to take that money from them.
This is going to be the year I improve at climbing. I absolutely love the hobby and have done it on and off for years.
I’m at the age demographic where I see a lot of folk feeding into the hustle culture. While I think it’s important to keep the future in mind, I also want to recognise I’ve reached a pretty good point in my life and would like to do something that won’t improve my career in any way.
One important reason for coding questions I haven’t read in the comments is the need to avoid the interviewer’s personal bias. I’ve seen a lot of people say they can feel someone is a bad interviewer but how do you quantify that? Large corps need to protect themselves.
They also need to make candidates feel like they were tested using the same criteria as other candidates.
