kiwibrowser / src.next

Source-code for Kiwi Next, a Kiwi Browser auto-rebased with latest Chromium
BSD 3-Clause "New" or "Revised" License
2.29k stars 292 forks source link

Patch out Web Environment Integrity #937

Open gaussandhisgun opened 1 year ago

gaussandhisgun commented 1 year ago

Is your feature request related to a problem? Please describe.

So Google has added the highly-controversial Web Environment Integrity into Chromium sources. You can get a rough guess about exactly how bad it is looking at the Issues of the repo. It is already in there, and it has made its way into Kiwi as well. Do it right now, open Dev Tools and try to call navigator.getEnvironmentIntegrity. If it's not null undefined, we're in trouble.

Why exactly we're in trouble, you may ask? Well. One of the core features of Kiwi is:

Block invasive ads with our powerful Ad Blocker. Enable and manage from options ( ⋮ ) -> Settings -> Ads. Browse without distractions with our Pop Up Blocker!

... an ad blocker. Google is literally killing that by making sure websites can now look at your browser and see if anything EVEN TRIES to modify the website. Devtools? Stylus? Consent-o-matic? GONE. If we keep WEI anywhere close, this might be the end of usable internet.

Describe the solution you'd like

Patch out the WEI. Vivaldi does not have it - tho that's most likely because its a month old, but still. Maybe at some point we can just fake it, as most people do with user agents and whatnot. And as some people do with SafetyNet (which shares the same concept, by the way).

Describe alternatives you've considered

I've tried to use Firefox instead. Not having desktop-like tabs even on a 15 inch screen is horrible. Having to manually add every remotely interesting extension to a collection is boring and painful. And don't even get me started on the design.

Additional context

One thing I found when looking for the sources is the fact that the integrity stuff apparently actually does calls to SafetyNet. Yeah, this might be a hu-u-uge issue for people who want to use adblocker with any amounts of money. At all.

At the moment of me writing this, Android is the only supported platform, too.

The integrity stuff itself is stored right here in the sources.


Keep yourself alive and your environments free!

kiwibrowser commented 1 year ago

Hey,

I'm aware of WEI. It's an horrible idea, like other recent ideas from non-engineering teams at Google, eg. Privacy Sandbox.

The plan, at least for now, (depending how it evolves on the Google-side) is to make Kiwi to appear trusted to websites, even if it involves artificially claiming to the website it has not been altered. For example, by re-sharing attestation tokens, or by providing an alternative mirror-DOM to the JS-side, if an adblocker is running (e.g. run the page fully, and then hide elements during rendering / non-visible phase).

Google already did a DRM-like approach with Widevine and it's horrible for 3rd party browsers (and the Widevine team is not helpful at all).

In general, I don't think WEI will get popular, because websites won't adopt it as they would loose audience. So I feel this is a non-issue, at least in the short-term, but I want to keep an eye on it.

I think you could reach to https://open-web-advocacy.org/ if you want to be active against WEI in general - these people have been incredibly helpful for all regulations questions :)

They are the one who managed to "convince" Apple to open to new web browser engines.

Arnaud.

gaussandhisgun commented 1 year ago

Well, there are websites that just deny your presence on them with WEI. Seek no further than one of my own - with a simple one-liner you can just deny a browser that has WEI from accessing the website. Guess if we're faking it, maybe a toggle (per-website, but a global one would be fine at the very least) that changes states between "We are trusted" and "We have no WEI" would be a good idea?

kiwibrowser commented 1 year ago

Obviously this is a very good candidate for chrome://flags but I still think that the main point is to make WEI adoption as painful as possible to adopters, so they swallow their own poison. If we can render WEI useless, I think this will be a much stronger signal than staying on the side.

I am saying this because in bug reports, this is ultimately the browser's fault otherwise. "It works on Chrome, but not on Kiwi, this is Kiwi's fault" and I want to avoid such case.

I have the intuition that if Firefox and Safari don't adopt WEI (and I'm a bit worried they will, because they are completely under influence from Google, but it's not that sure) that WEI is going become a useless standard.

In such case, if WEI is requested, why not reload such sites pretending to be Firefox or Safari right :) ?

Efreak commented 1 year ago

by providing an alternative mirror-DOM to the JS-side, if an adblocker is running (e.g. run the page fully, and then hide elements during rendering / non-visible phase).

This defeats the purpose of running an ad blocker. I don't care about advertising; I don't want to be tracked around the web, by Google or otherwise. I think you'll find a lot of people feel the same way.