The browsers keep circumventing them, so the W3C seems more ceremonial than a real standards body. In an ideal world something like the W3C would own Chromium, but alas...
A suite of tests might be better: point them at a candidate browser and they'll tell you which naughty and which nice features that browser supports.
Then point the other half of the test suite at a candidate site and get a similar list of naughies and nices.
Conscientious technologists of the world can then refuse to support browsers or sites that test naughty.
This is my attempt to avoid preaching to the choir. Market share wise, only a tiny slice would opt into the non-evil browser. But it's that slice who also makes things work for the rest of the world, so:
> it's out of my scope of support unless it passes these tests
> A suite of tests might be better: point them at a candidate browser and they'll tell you which naughty and which nice features that browser supports.
Perhaps we could have a suite of Web Platform Tests? And we could host them at https://wpt.fyi ?
As long as google gets to use its monopoly to push chrome-by-default on its platforms while breaking open safari, none of that matters. The council of neckbeards representing 2% of browser share is as relevant as polling slashdot opinions, in terms of actual effected change on the world.
When those neckbeards represent 50-60% of total web traffic their opinion might matter. Marketshare is power and in realpolitik power is all that matters. The tech world is littered with the remains of the companies that made principled stands, google and Microsoft are where they are for a reason and it’s not because of their overriding morals.
Right now google has >80% of traffic and now that they have pried safari open that number is gonna climb. Their opinion is literally the only one that matters - what are you gonna do, not use google products?
if google wants to fight they’ll win, have fun getting into your gmail account if they require attestation. What are you gonna do, not use email? Change your whole internet identity to not run on google? Gmail is effectively email, and small mailservers are fundamentally broken on the modern web. Even for things like outlook.com they could require that other mailservers provide the attestation used to send it and lock people out of gmail entirely, even just needing to gmail.
It’s game over, the apple sideloading case swept away the last resistance to chrome monoculture, and google already runs a supermajority of the other web services that matter. This is google flexing their muscles now that they know they’re utterly unopposed. But unfortunately the EU is way more concerned with outlawing the lightning port and mandating 2000s-vintage removable battery phone designs than actually fighting a monopoly using its monopoly power to leverage abusive behavior in related market segments to the detriment of consumers.
This is a classic useful-idiot situation where all the android fanboys waved their flags at their “team win” over “braindead” apple fans getting the app-review process neutered by sideloading. Because it’s not enough to have a popular brand which supports that too, you need to outlaw any alternative business models to your preferred brand. And despite warnings that exactly this chrome monoculture would be the outcome, people pushed for it anyway. Wait and see, they said, we’ll cross that bridge when we come to it and if google starts to be a problem the EU will step in. It took literally a matter of weeks before google just went ahead and crossed that bridge. Extremely frustrating.
And yea, safari has some attestation features too. Not necessarily the same ones as google, and they don’t prevent Wipr or Adblock Plus extensions from working. But now you’ve gone and made sure there’s no alternative browsers that don’t, either. You pushed this on yourself. sideloading has locked in an unshakeable chrome monopoly marketshare, it’s going to be a massive uphill battle to sell people on Firefox when it doesn’t even work on almost any relevant web services because it doesn’t (by design) allow attestation.
Almost as if... most of Apple's iOS stances aren't just random/exploitative, but actually have some basis in security posture or app-review. And almost as if... Apple is still fundamentally trying to sell you a phone first and foremost, then icloud/apple music revenue, and then adtech is way down on the list, while google makes all its money from (a) ecosystem effect and the monopolistic behaviors it allows, and (b) direct revenue from adtech. People keep trying to push the "apple is the same thing!" and just like you can see from their attestation not caring about adblocking, it's really not.
I loathe that the brand wars have gotten to this place, "both sides are the same" but also they are different enough that you need to literally outlaw the business model of your competition and reduce choice in the market. Can't let some "brainless" apple fan m...
the W3C's role has been explicitly and intentionally ceremonial since they tried to invent xhtml, and learned exactly how much power they really have.
their mission is only to write formal standards to describe and document the things that browsers have already implemented, not to drive browser development.
I don't really agree. Topics are materially different from FLoC. Especially in the way of moving it from a shady background activity into something the user can interact with.
Also, nobody really gives a shit about it. WEI could break adblockers and that would be a huge issue.
And Google wanted WebM to happen and for people to pay full-retail price for rented games.
Google isn't (yet) big enough to force it through: given iOS marketshare in the US it means web-app devs won't (can't?) do anything unless both Apple and Google adopt it (yes, there are plenty of Chrome-only websites, and Safari has been slow to adopt new web-standards, especially when they begin to tread on the toes of Apple's App Store (PWAs, WebUSB, etc).
----
That said, I am sympathetic to the reasons why orgs like banks want things like remote-device attestation (and am less sympathetic to the likes of the MPAA, etc) - it is unfortunate that better ideas are hard to come by.
> Safari has been slow to adopt new web-standards, especially when they begin to tread on the toes of Apple's App Store (PWAs, WebUSB, etc).
Many of those are not "new web standards". Those are Chrome-only non-standards, and Firefox agrees with Safari on most of them.
As for PWAs, there's no such thing as a single PWA standard, and Safari has supported the vast majority of the PWA standards for years (but if you point that out, the goalposts of what constitutes a PWA shift faster than superheated plasma).
How critical that is, compared to WEI - and more broad problem adopting it entails, namely a single company basically dictating the whole web what it can and cannot do?
Reading through that page it looks like a combination of Safari (a) prioritising privacy and performance and (b) not implementing draft specs. With a whole bunch of bugs that have already been fixed.
IndexedDB's API design is one of the worst I've ever seen (next to the original JS document.cookies "API")
Fortunately, Safari does support OPFS ( https://stackoverflow.com/a/71581910/159145 ) so provided you don't need all of IndexedDB's features and just need an async blob store for large blobs/files/etc (potentially gigabytes and beyond) then OPFS should work for you.
They couldn't really push VP9/Opus without making it available in a non-Google proprietary format. WebM seemed more like a vehicle for that.
The amount of popular videos served on YouTube in VP9 and Opus may not exactly be WebM, but the codec support byproduct it pushed probably saved Google/YouTube a huge pile of cash.
Safari's support for WebAuthn does not include support for "direct attestation", if that's what you're referring to.
EDIT: Or do you mean "Private Access Tokens"? I just found out about this now and wow... looks like I've got some reading to do, but so-far it seems far more limited in scope than Google's version, and doesn't seem like it can be used to fingerprint visitors between sessions either. ( https://httptoolkit.com/blog/apple-private-access-tokens-att... )
I indeed mean PATs. They are not more limited than WEI in any meaningful way. Both could in principle attest anything. Both claim they are meant to attest only certain kinds of properties. They would be just as useful (or useless) for fingerprinting.
So, first of all, the entire point of the GP was that Apple would be slow to implement this. Clearly that is not true.
But also JFC, it is amazing how the moment it is pointed out that Apple is already doing a thing that's being railing at, and the reaction shifts from outrage to basically "I wonder what amazing and important reason they have for doing this" and "nobody but Apple can possibly be allowed to benefit from this because monopoly".
Apple's stated reason is exactly the same as Google's. To make a privacy-preserving anti-abuse signal for browsers. Apple need it because they are piping their best customers' traffic into what is basically an open sewer of IP reputation (Apple Private Relay), and need a way to avoid said customers giving up in disgust due to the high rate of captchas. Google need it because they want to remove all fingerprinting vectors, and need privacy-preserving replacements for legit use cases.
Putting your head in the sand and making assumptions doesn't lead to good outcomes. If you can't find the time to understand what is being discussed, perhaps it is better to simply not offer an opinion on the matter. Opinions based on assumptions are dangerous.
And we still have people crying Safari being new IE all the time. The remaining minor incompatibilities that we have now are nothing compared to what we had in IE6 days, and yes, this is the price we pay for not giving complete control of the web to a single ad company.
> Safari has been slow to adopt new web-standards, especially when they begin to tread on the toes of Apple's App Store
Cautious.
Many of those web-standards e.g. WebUSB have significant security vectors and have been used in the past to fingerprint devices for advertiser tracking. Also many have impacts on battery life and performance.
Whereas Chrome seems to be getting slower and bloated over time, Safari has remained fast and light-weight.
> I am sympathetic to the reasons why orgs like banks want things like remote-device attestation
I'm not. I mean, I am in theory; being able to warn a user their device might have some sort of malware upon trying to log into a banking website is useful, but we've already seen how banks handle these things in practice with mobile devices having attestation capabilities.
The result is some banking apps refuse to run on my phone with a very up-to-date and definitely not compromised LineageOS, but will happily run on devices several years out of date. Google SafetyNet can tell that the bootloader is locked and the system partition hasn't been modified, but can't tell that some malware has gained root access by privilege escalation.
I don't want them doing that to their websites as well. This technology should not be let loose on the world.
At the core of this allegation appears to be Google's decision to push hardware makers to adopt the AV1 codec, an open video codec that promises better-looking 4K videos at lower bitrates. As Protocol first reported in October, Google is requiring makers of Android TV devices to support AV1 starting this month. Additionally, Google also seems to push makers of smart TVs and streaming devices not based on Android TV to use AV1 for YouTube.
...
Google has long forced device makers to use the free VP9 codec for 4K YouTube streams.
This is true in the sense that Google is running an experiment (an "origin trial") and they didn't need anyone's permission to do that. (None of the other browser vendors need to get permission to run an experiment either.)
That's different from making it a web standard. They will want cooperation from other browser vendors (not random people on the Internet) for that.
I doubt they'll make a serious effort at convincing anyone of anything until they decide what they want to do, which will be based on the results of the experiment.
E.g., I don't see WHATWG contributing anything of relevance regarding web accessibility, whereas W3C takes care of accessibility with WAI-ARIA and WCAG.
My understanding is that WHATWG doesn't govern standards at all - it basically documents what browsers are doing at the moment. So when Google rolls WEI in a Chrome update, it will become a WHATWG "standard" automatically. Is that correct?
To actually become a standard it needs at least two inependent implementations.
But it's interesting that you wrote what you wrote. Because that's exactly what Chrome is doing: it's announcing an intent to implement, and then enables whatever they intend by default. Oh, they do pretend to ask other vendors about their position, but ship anyway. And then use web.dev to pretend it's a standard.
I'd believe this- if it were not for the fact that Google is ignoring the W3C across the board. This includes privacy sandbox (fledge) and topics (floc) as well. Google can come up with good reasons why something that has negative impacts on the entirety of the ecosystem (except them), because it always ends with Google in a stronger position
What's there to believe? Standards follow implementations. The W3C aren't the browser police; they just standardize the interoperable things browsers do.
It's not W3C's (or WhatWG's) role to "oppose" random things browser vendors decide to do.
I wrote postal letters to the FTC, the president, my senators and congressman telling them to investigate WEI as another monopoly move on the part of Google and highlighted that the FBI says you should use an ad blocker.
The letter to the FTC might do something, in a statistical sense, if they're already tracking the correspondence they're getting because this issue is in their purview. The other letters are a waste of paper and ink.
It can't be their role. Standard organizations enjoy no de jure authority at all. The most they could possibly do is certify all the other "complying" browsers as "W3C-approved", and nobody cares who doesn't already care about the particulars here.
Maybe, but it's a moot point, because there's no way to get from here to there. If the browser vendors want to add a standard, they will; and if they don't, they won't. On one or two prior occasions the W3C has proposed something that the browser makers didn't like, they unanimously told the W3C to go pound sand, and that was the end of it.
> Who enforces electrical and network standards? Those don't require world police.
Most blocs have their own standards. Commonwealth countries follow one standard, EU countries another, North American engineering standards are not the same as Japanese ones.
The W3C had their chance in the early 2000s and they hyperfixated on XML nonsense while browser and web evolution stagnated. I'm not saying that the status quo is perfect, but if we want W3C to try again then we should make sure we don't run into the same issues 20 years ago.
And here I thought web evolution stagnated in the early 2000s due to IE6. It's vital we don't get locked into a single dominant browser that ignores open standards whenever it's convenient to them.
The web's stagnation was not monocausal. IE6 was bad, but W3C wasn't doing anything to help beyond fixating on XML work that never went anywhere.
I agree we shouldn't let a single web browser dominate. I'm just saying that the W3C doesn't have any power to do so nor have they shown themselves capable of pulling it off.
Im not sure whether that example supports your point. The Oxford dictionary is essentially an authority on spelling, and their editors and councils definitely have weight in debates on the proper spelling of things.
Wait. No. The OED is descriptive of English (UK only?) but is not prescriptive. They don't tell people what to spell or what they need to mean. They describe the spelling and meaning as it is being done. This is why there are new words that get added every year. It's not as if OED sit around and think of new words.
I'm not arguing if the OP is right or not but I don't think the OED example is correct.
It’s just a bad example. The Oxford Dictionary is just a publication of Oxford University Press. A popular one perhaps, but fundamentally no different than a Webster’s, or even say a Random House. Even giving it authority as a speller is suspect, since as an American, I can say with confidence that Oxford doesn’t know how to spell.
A better example would be a language academy, however English has never had a language academy, unlike French or Spanish, resulting in it being a stubbornly descriptivist, rather than prescriptivist phenomenon.
> Even giving it authority as a speller is suspect, since as an American, I can say with confidence that Oxford doesn’t know how to spell.
The OED, in my experience, covers the varieties of English spelling quite well, and if you want no distractions as an American but can deal with less extravagantly complete coveraged, you can always use the OAD.
> Even giving it authority as a speller is suspect, since as an American, I can say with confidence that Oxford doesn’t know how to spell.
I had to give a chuckle at that, but seriously, the way in which words are spelt (ahem) in the OED is genuinely interesting! They use both -ize and -ise, for instance, choosing one or the other based on each individual word's etymology.
I recently saw an author on social media remarking that their editor complained that they were mixing American and British spellings, and they should just pick one. The author was confused by the statement, because they didn’t there was anything unusual going on. Then the penny dropped. They’re Canadian.
That’s not really true. The OED is a historical/scientific work. Its goal is to describe the English language, not to influence it. Things are not described as proper or improper in the OED, though they may of course be described as colloquially, nonstandard, regional, etc., which are not value judgments. A lot of words, especially the ones that have been around for a while, have absolutely tons of variant spellings listed, most of which a normal literate modern person has never heard of.
Source: I have an OED subscription and look at it regularly.
> Then why are they making standards in the first place?
For one thing, membership in W3C is loaded with representatives from those browser vendors. Which is a good thing, since W3C would be absolutely useless if browser vendors weren't there.
For another, standards aren't the place for rants about who sucks shit and who doesn't. It would be a fun read, but a bad standard. A standard is for saying what you must do, not for saying who sucks shit.
The W3C's draft vision statement [0] clearly states:
> Aim to reduce centralization in Web architecture, minimizing single points of failure and single points of control.
IMO it is entirely in scope for, and part of the responsibility of, the W3C to introduce a specification that explicitly forbids user agents from implementing Web Environment Integrity or any similar system as currently drafted.
One might say that the members' conflicts of interest make it likely that they will abdicate this responsibility, but that doesn't make it any less their role!
Maybe Google cares, maybe not, but there's no sense in having a spineless standards body that just turns around and says that the spec is whatever Google implements in Chrome.
The W3C has no ability to "forbid" anything. You're going to find professional organizations resistant to undertakings that beclown themselves. W3C's statute and importance is improved when they publish things that the industry implements. That is the only mechanism they have to find impact. They are not the Internet police. I know this is fuzzy-seeming because of all the "MUST NOT"'s in standards language, but it's not really fuzzy at all.
It's not really that Google is ignoring the standards process. It's that the process involves a feature-flagged shipped implementation before it can be a part of the standard.
The only way for FLoC to become a standard is for them to do exactly what they're doing now - opt in/feature-flagged evaluation.
Of course, Google could continue to ignore the standards process and just make this generally available in their browser even if it doesn't become a standard.
> Of course, Google could continue to ignore the standards process and just make this generally available in their browser even if it doesn't become a standard.
That's exactly what they've been doing with dozens of "standards".
Considers who was on the other side of the military conflict in which the first, only, and still active UN military command was involved as a direct party and...
China at the time referred to the Republic of China, i.e. Taiwan. And the USSR's delegation to the UN was boycotting the UNSC entirely (and immediately began using their power to prevent any further UNSC resolutions regarding Korea being passed as soon as they stopped boycotting).
Has there ever been an anti-trust suit on the grounds that an actor is using their market dominance to subvert a standards process/body? Is there any legal precedent or standing for such a thing in the US or elsewhere?
I don't think web standards work that way. Often times we'll see things get deployed and implemented before they become standards anyway. And it's not as if W3C has any authority. But even if W3C had any authority, Google and Apple would just pay off every seat.
Not a perfect example, but the UK CMA took issue with the removal of third party cookies from Chrome because of concern about anti competitive impact on digital advertising and managed to extract some pledges from Google.
I like the idea of spinning Chrome out, but how would that work in practice?
Seems like making a browser isn’t profitable at all, and so the hypothetical Chrome Browser Corporation would probably quickly turn to evil tracking schemes as well.
If Blink and Chrome were to be spun out, it should probably be into something like a non-profit organization funded by sponsors, with a model similar to that of Blender. The only difference is that given Blink/Chrome's dominance, it'd be necessary to bar Alphabet and other companies with overwhelming power in web tech from becoming sponsors to help prevent conflict of interest.
This could have the effect of normalizing corporate investment in FOSS web engines and browsers, which could benefit Mozilla as well.
Right. So the US defying the UN matters in terms of real-world effect, but the UN defying the US doesn't.
In the analogy here, wouldn't the W3C be the UN defiantly making toothless proclamations that Chrome (the US) can simply ignore? That would be my understanding of it, since "mattering about as much" implies not mattering at all.
The ICC is independent of the UN. Also its treaty based so you have to consent to its juridsiction at least once (or have the UN security council give it juridsiction) so of course there are no consequences for countries that haven't signed up. Anyways this is a really bad example (you are probably trying to reference invade hauge act, but even still that doesn't fit.
US does ignore UN in other ways, but the ICC isnt an example of that.
The UN and the ICC are two different organizations (maybe you're thinking of the ICJ?), and the US isn't party to the Rome Statute either. That said, yes this law is dumb.
But could someone else create a W3C proposal that could counteract WEI? It wouldn't have to implementation-specific but rather one or more principles drawing a line in the sand that shouldn't be crossed like what WEI is built to achieve?
If a user who is not you uses a browser using WEI (implicitly approving of this attestation tech) and connects to a website that uses WEI, that's entirely up to third-parties and there's nothing legal that you can do.
The most you can do is protest this with:
1. Using a browser without WEI or with WEI disabled.
2. Modifying your own site to talk the WEI protocol but for any browser that can talk that protocol, you ban the user from using your site (or redirect them to a site explaining how WEI is DRM of the entire internet, etc)
Moving beyond White Hat to Grey Hat and Black Hat, you get things like:
1. Modifying your own hosting company to apply this WEI-blacklisting mechanism to your clients' websites.
2. Convincing (or "convincing") owners of core backend libraries in popular programming languages to introspect connections and blacklist WEI-compatible browsers.
3. Take advantage of XSS vulnerabilities to interfere with WEI operations on other tabs within the same browser on the user's machine if they happen to be using your website.
4. Take advantage of vulnerabilities in the WEI protocol to corrupt the underlying attestation system so it fails to function in all future WEI requests for that physical machine.
5. Hack/Crack attestation system security and publicly release the keys, making any hardware using that version suspicious/blacklisted by users of WEI.
6. Probably some other things I haven't thought of, but as you can see they quickly go from dubiously legal to straight-up illegal. It would be best to nip WEI in the bud before such measures are deemed necessary.
If you like what the W3C is doing for the privacy, accessibility and openness of
the Web, you can become a W3C participant. Upon finding a W3C Working
Group[1] to which you think you could contribute, you can send an email to the
address of that WG's 'Staff Contact' explaining how you think you could help. If
the Chairs and the Staff Contact agree, they will ask you to join as an 'Invited
Expert' (IE). This does not confer voting rights but grants you access to the
meetings, relevant Git repositories etc. You'll need to sign a licensing agreement allowing the W3C to freely publish your contributions.
I say this because, at first glance, it seems like the only stakeholders with
any influence are W3C Members. The reality is that W3C is very open to
contributions from individuals, but just has had a constitutional framework that
makes things slightly more complicated for individuals, a situation which they are
deliberately improving.
As for myself, I'm an IE for the W3C in the Linked Data area, so whilst of course I do not speak for the W3C, I would be more than happy to answer questions here on HN about how the W3C works.
His team lead (Dmitry Zagidulin) liked what we were doing a lot. But ultimately Tim chose to go in a different direction, spun off "Inrupt" and left MIT. We continued building our open source platform to try to realize the vision he keeps writing about: https://theconversation.com/tim-berners-lees-plan-to-save-th...
Ultimately, my point is that we tried our best. I even hired Dmitry when he left Tim's project for a while, but very quickly Dmitry got demotivated to work with us because we were putting out working code for customers, instead of conforming to standards. Back then I argued to him that we don't have a ton of funding and executions matters more, after which the winners can help spearhead the standards. After all, Twitter pioneered oAuth, and Meebo+Google pioneered xAuth (if anyone remembers that). Dmitri and I did.
So we went our separate ways, and I realized that standards are an expensive detour that can work if you have extra funds to hire people. We plan to support Matrix, Mastodon and other interoperability. But for the time being, our platform is "just" free and open source.
Whether it's the UBI "movement", or the decentralized web, or other initiatives, everyone seems to go their separate way and it fizzles out (e.g. https://decentralizedweb.net and https://indieweb.org/). I wish people were willing to join forces on projects more, and get each other funded. That's how we can build real open source alternatives to the corporate internet we are all forced to depend on.
W3C and IETF standards are aspirational wishes that vendors routinely violate or ignore with intent or by buggy code. It's the responsibility of all ethical engineers to:
0. seek out appropriate, minimum friction standards before reinventing the wheel
Thanks for your interesting response. Although I don't really want to admit it, you are right in some cases that "standards are an expensive detour", because I've been involved with one of those myself! On the other hand, when the object of standardisation is very clearly defined, eminently possible and widely usable, a consensus-backed standard can be made very rapidly indeed.
Data canonicalisation is one such example: although the idea has been around for quite a while, a couple of years ago lots of people spontaneously decided it was something they needed (myself included!), and here we are with RDF canonicalisation[1] nearing Candidate Recommendation not even halfway through its WG's charter, along with several mutually independent approaches also in a good state of development. The result of this is that in about one more year from now, software developers will find cryptographic verification of data considerably more consistent, which can be translated into a pretty significant boon for Web users.
The ideal timing of a standard is surely after the limits of the idea have been found by theorising or prototyping, and before anyone with that idea has a large enough commercial interest in it to benefit from a monopoly on it. Trying to build a monopoly first and then 'donating' it by spearheading a standard is a viable technique, but it feels risky to me unless you can be sure that you're really the only party who understands the idea, and so won't be overtaken by someone with equally monopolistic but less altruistic motives.
I think that a good place to start is limiting the scope of a proposed standard very consciously, unless as you say you have the funds to hire everyone you need to implement it entirely at least once. Although I'm not familiar enough with your project to comment on any details, I suspect that most social network or forum applications could implement one way ActivityPub or Matrix support easily, and also proper two-way federation unless the original software makes too many assumptions about identity.
That's good to hear because I really wanted to join one of the more recent groups that were formed about a year or two ago, but I didn't make the open invitations in time. Figured the door was closed but I've thought about reaching out to offer.
I would like to suport the W3C Line Mode Browser. It still compiles on the present-day computers I have; I use it from time to time for the nostalgia, to remind myslef how fast computers and the internet have become.
The W3C took a hit to it's influence in the early 2000s after their introduction of RDF (Resource Description Framework), the technology behind Linked Data and XHTML. Whilst technically superior and philosophically more elegant than the raw HTML they sought to enhance (note that HTML5 hadn't been invented at this point), it was not immediately very popular - the concept of Linked Data was somewhat harder to understand than the concept of markup, and getting it wrong would mean your website might fail to display. This lead to the creation of WHATWG, which holds sway over HTML5 and some miscellaneous JavaScript browser APIs, but still a very limited set of Web features compared to the W3C, which standardises lots of areas including CSS.
I would say that it was a pretty minor loss of influence overall, and their Linked Data is now used in almost all websites in at least a basic metadata capacity, which is how those 'social links' work (where you paste a URL in a chatroom or social network and find the title, logo and header picture appear automatically) for instance. More extensive use of Linked Data is often not directly visible to website visitors, but will soon form the foundation of a number of digital identity card systems, even for entire countries, and will do so in a way which has the potential to be significantly more privacy-friendly than a traditional 'citizen number' approach.
I'm currently a participant in the Linked Data area of W3C's work, but I wasn't around during the events I describe above. Resilient Web Design[1], a short but excellent ebook by Jeremy Keith is a good read for understanding why RDF didn't catch on initially, and anything by Manu Sporny will be worth reading/watching for getting a positive description of how useful RDF and Linked Data can be (his introduction video to the topic, for instance[2]).
130 comments
[ 2.8 ms ] story [ 186 ms ] threadThen point the other half of the test suite at a candidate site and get a similar list of naughies and nices.
Conscientious technologists of the world can then refuse to support browsers or sites that test naughty.
This is my attempt to avoid preaching to the choir. Market share wise, only a tiny slice would opt into the non-evil browser. But it's that slice who also makes things work for the rest of the world, so:
> it's out of my scope of support unless it passes these tests
Might impact a wider audience.
Perhaps we could have a suite of Web Platform Tests? And we could host them at https://wpt.fyi ?
If Google adds WEI to chromium, will wpt.fyi flag it as broken?
If the WEI proposal keeps progressing towards a standard I'd expect that team to submit a test to WPT, yes.
When those neckbeards represent 50-60% of total web traffic their opinion might matter. Marketshare is power and in realpolitik power is all that matters. The tech world is littered with the remains of the companies that made principled stands, google and Microsoft are where they are for a reason and it’s not because of their overriding morals.
Right now google has >80% of traffic and now that they have pried safari open that number is gonna climb. Their opinion is literally the only one that matters - what are you gonna do, not use google products?
if google wants to fight they’ll win, have fun getting into your gmail account if they require attestation. What are you gonna do, not use email? Change your whole internet identity to not run on google? Gmail is effectively email, and small mailservers are fundamentally broken on the modern web. Even for things like outlook.com they could require that other mailservers provide the attestation used to send it and lock people out of gmail entirely, even just needing to gmail.
It’s game over, the apple sideloading case swept away the last resistance to chrome monoculture, and google already runs a supermajority of the other web services that matter. This is google flexing their muscles now that they know they’re utterly unopposed. But unfortunately the EU is way more concerned with outlawing the lightning port and mandating 2000s-vintage removable battery phone designs than actually fighting a monopoly using its monopoly power to leverage abusive behavior in related market segments to the detriment of consumers.
This is a classic useful-idiot situation where all the android fanboys waved their flags at their “team win” over “braindead” apple fans getting the app-review process neutered by sideloading. Because it’s not enough to have a popular brand which supports that too, you need to outlaw any alternative business models to your preferred brand. And despite warnings that exactly this chrome monoculture would be the outcome, people pushed for it anyway. Wait and see, they said, we’ll cross that bridge when we come to it and if google starts to be a problem the EU will step in. It took literally a matter of weeks before google just went ahead and crossed that bridge. Extremely frustrating.
And yea, safari has some attestation features too. Not necessarily the same ones as google, and they don’t prevent Wipr or Adblock Plus extensions from working. But now you’ve gone and made sure there’s no alternative browsers that don’t, either. You pushed this on yourself. sideloading has locked in an unshakeable chrome monopoly marketshare, it’s going to be a massive uphill battle to sell people on Firefox when it doesn’t even work on almost any relevant web services because it doesn’t (by design) allow attestation.
Almost as if... most of Apple's iOS stances aren't just random/exploitative, but actually have some basis in security posture or app-review. And almost as if... Apple is still fundamentally trying to sell you a phone first and foremost, then icloud/apple music revenue, and then adtech is way down on the list, while google makes all its money from (a) ecosystem effect and the monopolistic behaviors it allows, and (b) direct revenue from adtech. People keep trying to push the "apple is the same thing!" and just like you can see from their attestation not caring about adblocking, it's really not.
I loathe that the brand wars have gotten to this place, "both sides are the same" but also they are different enough that you need to literally outlaw the business model of your competition and reduce choice in the market. Can't let some "brainless" apple fan m...
their mission is only to write formal standards to describe and document the things that browsers have already implemented, not to drive browser development.
Also, nobody really gives a shit about it. WEI could break adblockers and that would be a huge issue.
Google isn't (yet) big enough to force it through: given iOS marketshare in the US it means web-app devs won't (can't?) do anything unless both Apple and Google adopt it (yes, there are plenty of Chrome-only websites, and Safari has been slow to adopt new web-standards, especially when they begin to tread on the toes of Apple's App Store (PWAs, WebUSB, etc).
----
That said, I am sympathetic to the reasons why orgs like banks want things like remote-device attestation (and am less sympathetic to the likes of the MPAA, etc) - it is unfortunate that better ideas are hard to come by.
Many of those are not "new web standards". Those are Chrome-only non-standards, and Firefox agrees with Safari on most of them.
As for PWAs, there's no such thing as a single PWA standard, and Safari has supported the vast majority of the PWA standards for years (but if you point that out, the goalposts of what constitutes a PWA shift faster than superheated plasma).
https://gist.github.com/pesterhazy/4de96193af89a6dd5ce682ce2...
Fortunately, Safari does support OPFS ( https://stackoverflow.com/a/71581910/159145 ) so provided you don't need all of IndexedDB's features and just need an async blob store for large blobs/files/etc (potentially gigabytes and beyond) then OPFS should work for you.
The amount of popular videos served on YouTube in VP9 and Opus may not exactly be WebM, but the codec support byproduct it pushed probably saved Google/YouTube a huge pile of cash.
EDIT: Or do you mean "Private Access Tokens"? I just found out about this now and wow... looks like I've got some reading to do, but so-far it seems far more limited in scope than Google's version, and doesn't seem like it can be used to fingerprint visitors between sessions either. ( https://httptoolkit.com/blog/apple-private-access-tokens-att... )
Though I cannot help but wonder why exactly they did that. Some kind of a corporate requirement?
But also JFC, it is amazing how the moment it is pointed out that Apple is already doing a thing that's being railing at, and the reaction shifts from outrage to basically "I wonder what amazing and important reason they have for doing this" and "nobody but Apple can possibly be allowed to benefit from this because monopoly".
Apple's stated reason is exactly the same as Google's. To make a privacy-preserving anti-abuse signal for browsers. Apple need it because they are piping their best customers' traffic into what is basically an open sewer of IP reputation (Apple Private Relay), and need a way to avoid said customers giving up in disgust due to the high rate of captchas. Google need it because they want to remove all fingerprinting vectors, and need privacy-preserving replacements for legit use cases.
That's not what I said.
I don't care who does this, I will despise it either way, I just hope that Apple at least has a proper justification to do this.
> Google need it because they want to remove all fingerprinting vectors, and need privacy-preserving replacements for legit use cases
"Legit" defined by whom? Google? I am sorry but at this point Google has burned almost all trust, at least with me.
Cautious.
Many of those web-standards e.g. WebUSB have significant security vectors and have been used in the past to fingerprint devices for advertiser tracking. Also many have impacts on battery life and performance.
Whereas Chrome seems to be getting slower and bloated over time, Safari has remained fast and light-weight.
I'm not. I mean, I am in theory; being able to warn a user their device might have some sort of malware upon trying to log into a banking website is useful, but we've already seen how banks handle these things in practice with mobile devices having attestation capabilities.
The result is some banking apps refuse to run on my phone with a very up-to-date and definitely not compromised LineageOS, but will happily run on devices several years out of date. Google SafetyNet can tell that the bootloader is locked and the system partition hasn't been modified, but can't tell that some malware has gained root access by privilege escalation.
I don't want them doing that to their websites as well. This technology should not be let loose on the world.
When they want, Google literally strongarms various vendors into implementing their codecs: https://www.protocol.com/youtube-tv-roku-issues
--- start quote ---
At the core of this allegation appears to be Google's decision to push hardware makers to adopt the AV1 codec, an open video codec that promises better-looking 4K videos at lower bitrates. As Protocol first reported in October, Google is requiring makers of Android TV devices to support AV1 starting this month. Additionally, Google also seems to push makers of smart TVs and streaming devices not based on Android TV to use AV1 for YouTube.
...
Google has long forced device makers to use the free VP9 codec for 4K YouTube streams.
--- end quote ---
That's different from making it a web standard. They will want cooperation from other browser vendors (not random people on the Internet) for that.
I doubt they'll make a serious effort at convincing anyone of anything until they decide what they want to do, which will be based on the results of the experiment.
A stance to irrelevance, sadly.
This was always the deal with the devil that W3C had; play ball with the vendors or get left in the dust.
W3C is not only about HTML, JavaScript, and CSS.
https://en.m.wikipedia.org/wiki/World_Wide_Web_Consortium#St...
E.g., I don't see WHATWG contributing anything of relevance regarding web accessibility, whereas W3C takes care of accessibility with WAI-ARIA and WCAG.
To actually become a standard it needs at least two inependent implementations.
But it's interesting that you wrote what you wrote. Because that's exactly what Chrome is doing: it's announcing an intent to implement, and then enables whatever they intend by default. Oh, they do pretend to ask other vendors about their position, but ship anyway. And then use web.dev to pretend it's a standard.
- Accessibility
- Authentication
- CSS
- Self-Sovereign Identity
- Virtual Reality
- Linked Data
- XML
I wrote a comment about the W3C's relationship with WHATWG a few days ago: https://news.ycombinator.com/item?id=37052428
If you do nothing else, please pass your eyes over the list of W3C Recommendations and other publications on standards track: https://www.w3.org/TR/
And yes, even VRML :)
https://www.w3.org/MarkUp/html-spec/ HTML 2 (the wild west)
https://www.w3.org/MarkUp/Wilbur/ HTML 3.2
https://www.w3.org/TR/WD-html40-970708/appendix/changes.html Diffs of HTML 3.2 -> 4
https://www.w3.org/People/Raggett/book4/ch02.html History of HTML until 3.2
https://www.w3.org/TR/html401/ HTML 4
https://www.w3.org/TR/html5-diff/ Diffs of HTML 4 -> 5
https://www.w3.org/TR/2021/NOTE-html53-20210128/ HTML 5.3 (last version on W3C)
https://html.spec.whatwg.org/multipage/ HTML5.3+ (moved to whatwg)
https://www.w3.org/MarkUp/VRML/ Virtual Reality Markup Language
It's not W3C's (or WhatWG's) role to "oppose" random things browser vendors decide to do.
You should too.
https://www.ftc.gov/about-ftc/bureaus-offices/bureau-competi...
for the FTC's contact information
Most blocs have their own standards. Commonwealth countries follow one standard, EU countries another, North American engineering standards are not the same as Japanese ones.
Who would grant them such a authority and how would it be enforced?
I agree we shouldn't let a single web browser dominate. I'm just saying that the W3C doesn't have any power to do so nor have they shown themselves capable of pulling it off.
Then why are they making standards in the first place?
They're already deeply involved in the operation of browsers; they are practically morally obliged to object to things which could harm the Web.
I'm not arguing if the OP is right or not but I don't think the OED example is correct.
A better example would be a language academy, however English has never had a language academy, unlike French or Spanish, resulting in it being a stubbornly descriptivist, rather than prescriptivist phenomenon.
The OED, in my experience, covers the varieties of English spelling quite well, and if you want no distractions as an American but can deal with less extravagantly complete coveraged, you can always use the OAD.
Oxford seems to know how to spell quite well.
I had to give a chuckle at that, but seriously, the way in which words are spelt (ahem) in the OED is genuinely interesting! They use both -ize and -ise, for instance, choosing one or the other based on each individual word's etymology.
The OED includes American spellings for all of its entries.
Source: I have an OED subscription and look at it regularly.
For one thing, membership in W3C is loaded with representatives from those browser vendors. Which is a good thing, since W3C would be absolutely useless if browser vendors weren't there.
For another, standards aren't the place for rants about who sucks shit and who doesn't. It would be a fun read, but a bad standard. A standard is for saying what you must do, not for saying who sucks shit.
> Aim to reduce centralization in Web architecture, minimizing single points of failure and single points of control.
IMO it is entirely in scope for, and part of the responsibility of, the W3C to introduce a specification that explicitly forbids user agents from implementing Web Environment Integrity or any similar system as currently drafted.
One might say that the members' conflicts of interest make it likely that they will abdicate this responsibility, but that doesn't make it any less their role!
[0] https://www.w3.org/TR/w3c-vision/#principles
Maybe Google cares, maybe not, but there's no sense in having a spineless standards body that just turns around and says that the spec is whatever Google implements in Chrome.
The only way for FLoC to become a standard is for them to do exactly what they're doing now - opt in/feature-flagged evaluation.
Of course, Google could continue to ignore the standards process and just make this generally available in their browser even if it doesn't become a standard.
That's exactly what they've been doing with dozens of "standards".
Not sure I understand your point.
https://www.reuters.com/article/idINIndia-29194320070828
https://www.reuters.com/article/us-microsoft-standard/micros...
https://www.computerworld.com/article/2548569/ecma-approves-...
https://www.reuters.com/world/uk/uk-regulator-accepts-google...
Seems like making a browser isn’t profitable at all, and so the hypothetical Chrome Browser Corporation would probably quickly turn to evil tracking schemes as well.
They do implement ad blocking/anti fingerprinting. Mozilla obviously has to continue setting Google as the default search engine.
This could have the effect of normalizing corporate investment in FOSS web engines and browsers, which could benefit Mozilla as well.
Are those accidentally reversed?
In the analogy here, wouldn't the W3C be the UN defiantly making toothless proclamations that Chrome (the US) can simply ignore? That would be my understanding of it, since "mattering about as much" implies not mattering at all.
US does ignore UN in other ways, but the ICC isnt an example of that.
But could someone else create a W3C proposal that could counteract WEI? It wouldn't have to implementation-specific but rather one or more principles drawing a line in the sand that shouldn't be crossed like what WEI is built to achieve?
If a user who is not you uses a browser using WEI (implicitly approving of this attestation tech) and connects to a website that uses WEI, that's entirely up to third-parties and there's nothing legal that you can do.
The most you can do is protest this with:
1. Using a browser without WEI or with WEI disabled.
2. Modifying your own site to talk the WEI protocol but for any browser that can talk that protocol, you ban the user from using your site (or redirect them to a site explaining how WEI is DRM of the entire internet, etc)
Moving beyond White Hat to Grey Hat and Black Hat, you get things like:
1. Modifying your own hosting company to apply this WEI-blacklisting mechanism to your clients' websites.
2. Convincing (or "convincing") owners of core backend libraries in popular programming languages to introspect connections and blacklist WEI-compatible browsers.
3. Take advantage of XSS vulnerabilities to interfere with WEI operations on other tabs within the same browser on the user's machine if they happen to be using your website.
4. Take advantage of vulnerabilities in the WEI protocol to corrupt the underlying attestation system so it fails to function in all future WEI requests for that physical machine.
5. Hack/Crack attestation system security and publicly release the keys, making any hardware using that version suspicious/blacklisted by users of WEI.
6. Probably some other things I haven't thought of, but as you can see they quickly go from dubiously legal to straight-up illegal. It would be best to nip WEI in the bud before such measures are deemed necessary.
In those situations, enterprises have the jurisdiction and need to know who is connecting to their network.
Putting a technology like this into a browser seems to only benefit sites that monetize their content...
I say this because, at first glance, it seems like the only stakeholders with any influence are W3C Members. The reality is that W3C is very open to contributions from individuals, but just has had a constitutional framework that makes things slightly more complicated for individuals, a situation which they are deliberately improving.
As for myself, I'm an IE for the W3C in the Linked Data area, so whilst of course I do not speak for the W3C, I would be more than happy to answer questions here on HN about how the W3C works.
[1]: https://www.w3.org/groups/wg/
His team lead (Dmitry Zagidulin) liked what we were doing a lot. But ultimately Tim chose to go in a different direction, spun off "Inrupt" and left MIT. We continued building our open source platform to try to realize the vision he keeps writing about: https://theconversation.com/tim-berners-lees-plan-to-save-th...
I was writing very similar things, but of course I didn't invent the Web: https://cointelegraph.com/news/how-a-web-that-lost-its-way-c...
Ultimately, my point is that we tried our best. I even hired Dmitry when he left Tim's project for a while, but very quickly Dmitry got demotivated to work with us because we were putting out working code for customers, instead of conforming to standards. Back then I argued to him that we don't have a ton of funding and executions matters more, after which the winners can help spearhead the standards. After all, Twitter pioneered oAuth, and Meebo+Google pioneered xAuth (if anyone remembers that). Dmitri and I did.
So we went our separate ways, and I realized that standards are an expensive detour that can work if you have extra funds to hire people. We plan to support Matrix, Mastodon and other interoperability. But for the time being, our platform is "just" free and open source.
Whether it's the UBI "movement", or the decentralized web, or other initiatives, everyone seems to go their separate way and it fizzles out (e.g. https://decentralizedweb.net and https://indieweb.org/). I wish people were willing to join forces on projects more, and get each other funded. That's how we can build real open source alternatives to the corporate internet we are all forced to depend on.
0. seek out appropriate, minimum friction standards before reinventing the wheel
1. refuse to implement solutions that harm users
Data canonicalisation is one such example: although the idea has been around for quite a while, a couple of years ago lots of people spontaneously decided it was something they needed (myself included!), and here we are with RDF canonicalisation[1] nearing Candidate Recommendation not even halfway through its WG's charter, along with several mutually independent approaches also in a good state of development. The result of this is that in about one more year from now, software developers will find cryptographic verification of data considerably more consistent, which can be translated into a pretty significant boon for Web users.
The ideal timing of a standard is surely after the limits of the idea have been found by theorising or prototyping, and before anyone with that idea has a large enough commercial interest in it to benefit from a monopoly on it. Trying to build a monopoly first and then 'donating' it by spearheading a standard is a viable technique, but it feels risky to me unless you can be sure that you're really the only party who understands the idea, and so won't be overtaken by someone with equally monopolistic but less altruistic motives.
I think that a good place to start is limiting the scope of a proposed standard very consciously, unless as you say you have the funds to hire everyone you need to implement it entirely at least once. Although I'm not familiar enough with your project to comment on any details, I suspect that most social network or forum applications could implement one way ActivityPub or Matrix support easily, and also proper two-way federation unless the original software makes too many assumptions about identity.
[1]: https://www.w3.org/TR/rdf-canon/
I thought it lost some of it's influence, but can't recall why.
I would say that it was a pretty minor loss of influence overall, and their Linked Data is now used in almost all websites in at least a basic metadata capacity, which is how those 'social links' work (where you paste a URL in a chatroom or social network and find the title, logo and header picture appear automatically) for instance. More extensive use of Linked Data is often not directly visible to website visitors, but will soon form the foundation of a number of digital identity card systems, even for entire countries, and will do so in a way which has the potential to be significantly more privacy-friendly than a traditional 'citizen number' approach.
I'm currently a participant in the Linked Data area of W3C's work, but I wasn't around during the events I describe above. Resilient Web Design[1], a short but excellent ebook by Jeremy Keith is a good read for understanding why RDF didn't catch on initially, and anything by Manu Sporny will be worth reading/watching for getting a positive description of how useful RDF and Linked Data can be (his introduction video to the topic, for instance[2]).
[1]: https://resilientwebdesign.com/introduction/
[2]: https://www.youtube.com/watch?v=4x_xzT5eF5Q
https://web.archive.org/web/20041204114715/http://www.cc.uka...