[maxyme]

Mozilla's Position: "Mozilla has concerns about the shift in the web security model required for handling web-packaged information. Specifically, the ability for an origin to act on behalf of another without a client ever contacting the authoritative server is worrisome, as is the removal of a guarantee of confidentiality from the web security model (the host serving the web package has access to plain text). We recognise that the use cases satisfied by web packaging are useful, and would be likely to support an approach that enabled such use cases so long as the foregoing concerns could be addressed." https://mozilla.github.io/standards-positions/

[dfabulich]

Apple's position: "The Security Considerations describe some bad things that can happen even if the spec is properly implemented. Unsurprisingly, I think those things are bad. No time to make actual technical contributions at this time but I will consider it if this spec gets multi-vendor interest." https://twitter.com/othermaciej/status/951001352347402240

Microsoft is in favor.

[comex]

If by “Apple’s position” you mean “a 15-month-old tweet by one Apple employee”.

Edit: And the spec has since gotten multi-vendor interest. From Microsoft:

> We're excited about the potential for this feature set to resolve some of the performance and privacy problems of alternative approaches, and we have been talking to publishers who are interested in utilizing these technologies to provide accelerated experiences.

https://groups.google.com/a/chromium.org/d/msg/blink-dev/gPH...

[dfabulich]

He's not a random employee. https://en.wikipedia.org/wiki/Maciej_Stachowiak "he is a leader of the development team responsible for the Safari web browser and WebKit Framework"

For now, his tweet is all the signal we have from Apple.

[om2]

I'm the person who posted the tweet. Since then, some of my colleagues from the WebKit team have given more specific security feedback. Some of it has been addressed. And the Security Considerations section is less scary. But even so, I'd say we are pretty uncomfortable with this approach, for similar reasons to Mozilla. We can see some advantages to Google re-serving the whole web from their own servers and getting browsers to present it as if it comes from the origin, but it also seems like a worrisome change to the web security model.

[sjwright]

And considering Apple's strict policies around public communication, it's pretty safe to describe it as a formal statement of the company's position.

[saagarjha]

People jumping to this conclusion is why employees are burdened with prefixing everything they say with a disclaimer that they do not speak for their employer :(

[sjwright]

I completely agree. My point was only about the reality of communications from Apple employees, not asserting it as an ideal.

[ocdtrekkie]

Since Microsoft's position is now "implement Chrome with Bing as the search default", I am pretty sure most, if not all, web standards Google proposes will be enthusiastically supported by Microsoft, as they'll support them regardless.

[dfabulich]

Microsoft's claim is that they'll be more like Google and Apple working on WebKit. They disagreed a fair amount, and didn't always enable each other's features just because the other browser enabled them.

Microsoft has ripped a fair amount of stuff out of Chromium already. https://www.theverge.com/2019/4/8/18300772/microsoft-google-...

[om2]

It will be interesting to see if Microsoft ever diverges from the web platform functionality exposed by Chrome. My prediction is that either they never do it, or they eventually do it and are forced to fork. Chromium is not as open to variation in the main tree as WebKit was when Google showed up.

[magicalist]

> three-month-old tweet

15 month :)

[comex]

Thanks, corrected.

[Ajedi32]

Google's response: https://github.com/mozilla/standards-positions/issues/29#iss...

In all fairness I have to agree with Google on this one. Mozilla's current objections don't really make sense.