A Future with Web Environment Integrity

Web Environment Integrity and what it could mean for the future of the web

26 Jul 2023

10 min read

As a web developer, I have a vested interest in the open web. I believe that accessing information should be open and independent. Google, on the surface, shares this interest. However, Google really wants to only support free and simple information access when it benefits their 🤑bottom line🤑.

Web Environment Integrity has caused a bit of a stir in the tech space recently, particularly because of just how malicious the current proposal is. It is a deeply unsettling sight to see, for a few reasons. To me, the concept of “DRM for websites” is something I am vehemently opposed to.

I can easily see this feature—currently touted in the proposal as a method to stop cheaters and bad actors—being twisted and manipulated to give Google a competitive edge in the internet space.

Web Environment Integrity in a nutshell

Web Environment Integrity is an API proposal that will provide websites with information regarding the validity of the hardware or software used to browse a website. It relies on three participants: a user, a website, and an attester.

The attester is an authoritative third party that verifies the hardware and software a user is using to access a website. This information is requested from the website, and a response is sent to the web server.

This proposal is deeply unethical and works in multiple ways to directly undermine the concept of the open web many developers have been striving to maintain for some twenty or so years. This proposal:

  1. undermines the concept of a platform-independent, open web by providing websites a cryptographically certain method to block access based on hardware or software (which they will use to their advantage and which this spec has only barely addressed)
  2. undermines the W3C’s established precedent in standardization by way of being published entirely outside the consortium’s jurisdiction
  3. undermines the open development process established by the Chromium Project years ago, by way of being published to some random GitHub account—rather than an official Google/Chromium-related GitHub account.
  4. undermines open-source review by locking down the proposal repository, making it impossible to address (or even react to!) actual concerns

This proposal is deeply misguided relative to the direction the open web should be trending towards. However, this proposal is exactly something Google would shit out so they could hamper the web as a whole. So they can transform it from a free flow of information to a regulated ecosystem of advertisers and data harvesting.

I think I remember a movie where the villan wanted a world exactly like this.

With that said, the following is a very possible future blog post that we could see on developer.chrome.com, and its existence depends entirely on whether or not WEI sees the light of day.

Our top priority at Google is to organize the world’s information. Google Search reimagined how you could find exactly what you needed. Google Chrome allows you to surf the web, and make it your own. Google Ads has allowed creators and developers (just like you!) to monetize your fantastically wonderful and experimental projects.

Over the past 2█ years, Google has nurtured the web from a mere catalog of information to a vibrant ecosystem of media, gaming, art, and everything in between. The web has expanded far beyond what anyone thought was possible, and it’s fantastic that we’ve been able to play a part in this.

Our goal at Google is not just to organize the world’s information, but to ensure everyone on the web can stay safe from bad actors and security vulnerabilities. It is your right to stay safe on the web, and our obligation to build tools that keep you safe.

Web Environment Integrity has allowed us and other vendors to securely and privately communicate your usage of a trusted device with content providers. It’s important to us that the content you access isn’t targeted by malicious actors like cheaters, spammers, and ad blockers. Everyone deserves fair play in the web space, and Web Environment Integrity ensures this.

We have recently found several security vulnerabilities within some outdated devices. Likewise, there are a few bad-acting web browsers that currently do not comply with our efforts to make the web a safer place to surf. While the majority of individuals using outdated devices or noncompliant software aren’t malicious, attackers will use platforms like these to harm your web experience.

Effective January 1, 20██, we will be updating our attester to reject verifications from user agents that match these outdated devices and noncompliant browsers. On January 1, 20██, any outdated devices or non-compliant browsers listed below will not be able to access any website that is integrated with Google Ads. This will include websites like Google Search, YouTube, YouTube Shorts, and Gmail.

Non-compliant software stacks

Effective January 1, 20██, these software stacks will cease to be validated by the attester used for websites with Google Ads integrations. Each software stack has a reason for the non-compliancy.

Mozilla Firefox (below v1██)

Mozilla Firefox has denied requests to implement Web Environment Integrity, which leaves users of Mozilla Firefox at risk and the browser as a whole vulnerable to malicious usage by bad actors. We will continue to support Firefox above version 1██ for now.

Chromium browsers without Manifest v3 support

Chromium browsers (including older versions of Google Chrome, Opera, and Arc Browser) that do not natively support Manifest v3 or above will be denied due to the security vulnerabilities present in older versions of Manifest.

Outdated devices

Effective January 1, 20██, these devices will cease to be validated by the attester used for websites with Google Ads integrations.

Device Class Reason
≤ Google Pixel 4 (2019) Unsupported by manufacturer—device may contain software vulnerabilities and exploits
≤ iPhone 8 (2017) Unsupported by first-party provider—device may contain software vulnerabilities and exploits
≤ Samsung S9 (2018) Unsupported by first-party provider—device may contain software vulnerabilities and exploits
Non-compliant Android devices Android devices that have been rooted by their primary user represent a significant security risk and are typically used by malicious actors to use bots on monetized websites, which generates fake ad traffic

What can I do if my device/software is listed?

If you are currently using a device that does not comply with the Google Attester Policy, we recommend you switch to a newer device. These devices will have stronger security policies and will be able to run the most recent version of a compliant web browser.

If you are currently using a web browser, or have installed disallowed software with your web browser that does not comply with the Google Attester Policy, we recommend you switch to a compliant browser or uninstall the disallowed software.

What should I do as a developer?

For outdated devices, we recommend displaying a banner to your user stating that the webpage is inaccessible due to security vulnerabilities.

We don’t recommend manually checking for each supported device. We will have a package rolling out in the next few weeks which will allow you to filter out unsupported devices.

For non-compliant software stacks, we recommend filtering the navigator.getEnvironmentIntegrity response object by platform identity on your web server:

const contentBinding = "request/id=<requestID>" + "...";
const attestation = await navigator.getEnvironmentIntegrity(contentBinding);

const response = await fetch("/request?id=xxxx&attested=" + attestation.encode());
if(resposne.platform === "org.mozilla.firefox") {
  alert("Your browser is non-compliant with Web Environment Integrity");

A safer web

These changes will be rolling out in Google Chrome Canary ███, and we will require all websites with Google Ads integrations to include filtering in the coming months.

Our commitment to the web extends past just organizing information. We work closely with other vendors like Cloudflare, Apple, and Microsoft to provide safeguarding measures that protect everyday users from malicious threats. We hope that these changes will help to make the web a safer and more enjoyable experience for all.

Of course, this is all speculation—much of it likely exaggerated. But at this point, I think it’s impossible to give Google the benefit of the doubt.