"Users often depend on websites trusting the client environment they run in. This trust may assume that the client environment is honest about certain aspects of itself, keeps user data and intellectual property secure, and is transparent about whether or not a human is using it."

Double-plus-good rights management!

This reads like someone hopelessly out of touch with actual users.

Most users don't give a shit if their client is "honest", or if it's respects intellectual property. These are concerns of web admins and media companies. Users just want something to load websites.

No no, it's not the users that care if their client is honest, it's the websites. But users want to use those websites, and therefore whatever is in the website's interest is in the user's interest.

There's a lot you can justify with a creative thought process.

I think it depends. When I use an ATM, I want to make sure it's the official bank ATM and won't steal my information. Also, spam is a tax that websites must pay and we as users are indirectly paying for this tax regardless of whether we intend to or not.

> When I use an ATM, I want to make sure it's the official bank ATM and won't steal my information.

sure, but in that situation, the "client" is you, and the "server" is the ATM. as the client, its not your job to worry or care if you are being "honest" with the "server". your concern is only getting the money. its the banks job to secure the ATM from bad actors, not yours.

I admire how they barely try to hide the fact that it's just a way to bombard you even more with ads. They don't even care to pretend at this point.

This was reworked to be a more limited proposal specific for Android Webviews, IIRC. Fairly recently (last month)?

After all the intense backlash they faced, they made it a 'limited' webview feature rather that dropping it entirely. Now that it's away from a standardization body, what's to prevent it from being developed unimpeded by public opposition? What's to stop them from expanding it to browsers once the 'feature' is ready? After all, this is exactly the pattern we saw with FLoC, 'privacy' sandbox and the Topics API.

It will come back again and again, and each time there will be less public outcry. It'll end up being normalized and eventually accepted. General purpose computers give the unwashed masses too much power.

Yes, but it's the sort of creepy that they can't just undo by saying "nevermind".

And after that's normalized, then Google will enhance your user experience by bringing "Android Webview security" to Chrome on android, you know, it makes you really secure, it's really to help you keep safe.

A few years down the road, a surprising amount of companies insist you can only use their product on those secure smartphone browsers because of it's enhanced security, so Google helps you out by adding a special "Android Secure Mode" to desktop Chrome.

Nothing unreasonable or unsubstantiated. This is exactly what happened with app geolocking, privacy sandbox/topics, SafetyNet/Play Integrity API, etc. All of these are supposed to improve security and privacy and yet none of them are under the control of the user. Clearly implying that the user is the biggest security/privacy threat to them.

Which sites require those? How would that allow them to make more profit?

I literally said if they want people to visit anywhere they use a site and if not they lock down the experience with an app, and you said they lock down apps as 'proof' that they'd lock down web sites because somehow they are equal. Apps have never been about freedom. Starbucks doesn't want user choice and privacy when they ask you to download their app.

And I'm yet to see what business model it would work for. I'm going with 'none'.

> Which sites require those? How would that allow them to make more profit?

Practically every banking site (or more importantly banking apps). And a lot of weird cases like bus/train timings app, mobile operator apps, etc. You don't see that a lot with websites yet because the web isn't so severely constrained as mobile apps are. But the moment they appear, it will go the other way. One good example of this is AMP - which thankfully fizzled out for other reasons.

> And I'm yet to see what business model it would work for. I'm going with 'none'.

You can go with whatever you feel like. But the real world experience corroborates what the other commenter said. And one good reason for this is the corporate security culture. 'Our app isn't secure if it doesn't use the PIntegrity' type of argument. They'll all fall for it even if it's detrimental to their users.

Making a website less accessible doesn't make any sense. You've given an example of apps like before and you've yet to substantiate any points you made, maybe bank logins have a reason to be secure but that forum you go to doesn't, and wouldn't do this.

If they wanted to make it less accessible they could easily do that by forcing you to use newer browser versions which some boilerplate sites with frameworks do, from lack of expertise. No "safety" required. I'm not going off feeling, I'm going off facts. It will NEVER happen.

Netflix will not deliver the highest resolution video unless you have a DRM supporting browser.

Website operators don't need to outright block you, they can just start putting certain features behind "the wall".

Publishers, already pushing back against ad blockers and now suing because their sites were scraped and incorporated into LLM weights, would love to have clients "attest" to the "humanity" of the user and "integrity" (read: no ad blockers) of the browser. It's not hard to imagine that, if given access to the feature, they'd jump on it as soon as it ways feasible and make the user experience for non-attesting browsers progressively worse to force the change.

Your point is that struggling publishers will stay relevant, gain subscribers and afloat/make more money by implementing ad blockers, worst user experience and safety checks to make their sites less accessible. I'm sure it'll happen any day now.

Absolutely, yes. They will be empowered by tools they don't yet have to make it feasible to slowly "boil the frog". Remote attestation is just such a tool.

The frogs already moved onto 4chan, twitter, TikTok, reddit, or YouTube for news. Even here at HN everyone uses archive. Publishers are dead. Nobody checks fox/cnn for the latest breaking news or needs to hear some anchor/journalist tell them what their handlers told them to say.

This is not true outside of a small bubble.

In Europe traditional media still enjoys relatively high public trust and high circulation. Weekly reach of traditional news media is at 80% to 90% of adult population in the Nordic countries compared to 50-70% of all social media combined, depending on the country.

Websites want all the real visitors they can get, webapps are not quite as concerned with that. I remember the Microsoft Silverlight days

I am fine not browsing websites that require this bullshit and fully embrace the small selection of niche communities that will be Internet 2.0

First they required attestation on Facebook but I did not speak up because I do not use Facebook.

Then they required attestation for Amazon but I did not speak up because I do not use Amazon.

And finally they required attestation for Uber Eats, but there was nobody left to speak up for me.