[Ajedi32]

The URL the browser shows is the one which was cryptographically verified to be correct. I don't see how you can call that a "lie".

If I'm offline and I open an offline cached page in my browser, would you call it a lie if the browser displays the URL I originally downloaded that page from in the URL bar instead of saying it came from "your hard drive"?

[tyingq]

It's not just us HN commenters that are concerned. Mozilla, for example, is highly opposed to it in it's current state.

"Mozilla has concerns about the shift in the web security model required for handling web-packaged information. Specifically, the ability for an origin to act on behalf of another without a client ever contacting the authoritative server is worrisome, as is the removal of a guarantee of confidentiality from the web security model (the host serving the web package has access to plain text). We recognise that the use cases satisfied by web packaging are useful, and would be likely to support an approach that enabled such use cases so long as the foregoing concerns could be addressed."

Mozilla has the proposal marked as "harmful".

Apple/Webkit have concerns as well: https://news.ycombinator.com/item?id=19679621

[Ajedi32]

> We recognise that the use cases satisfied by web packaging are useful, and would be likely to support an approach that enabled such use cases[...]

That doesn't sound "highly opposed" to me.

Anyway, I read the full report from Mozilla back when they first published it, and while they do have some valid concerns (any new feature introduced to the web will necessarily introduce some new attack surfaces) I believe their concerns are already sufficiently well addressed by the standard.

The paragraph from Mozilla that you quoted is also rather vague and misleading. In particular:

> the ability for an origin to act on behalf of another without a client ever contacting the authoritative server is worrisome

This is super vague. I see no reason why that should be "worrisome". That sort of thing happens all the time in public key cryptography. When you receive a message signed with the private key of a trusted actor, it's perfectly reasonable to trust that the trusted actor authorized that message regardless of where the message itself came from. TLS itself already does exactly that every time you visit a website over HTTPS (your browser trusts certificates signed by a trusted CA, even though those certificates are being presented by an untrusted website, not the CA itself).

> as is the removal of a guarantee of confidentiality from the web security model

This concern is completely unfounded, and I'm surprised Mozilla included it in their summary. The use of the signed exchange standard doesn't reveal any information to any party that would not already have access to that information without the standard (a host serving you a link to a static, public page will necessarily already have access to the plaintext content of that page, regardless of whether they serve you that content themselves or not).

[tyingq]

>That doesn't sound "highly opposed" to me

They marked the proposal as "harmful", and it remains marked that way.

I wasn't trying to exaggerate. I could cite other passages that support "highly opposed".

Mozilla did publish a pretty extensive document that explains their position and plans: https://docs.google.com/document/d/1ha00dSGKmjoEh2mRiG8FIA5s...

[Ajedi32]

Yes, I know. Again, I read the full report. I don't think "Harmful" is an accurate summary of their position either. (At least in a layman's sense of the term; it may very well be the correct category from the perspective of Mozilla's formal standards position process.)

The more detailed summary in the full report says:

> There is a lot to consider with web packaging. Many of the technical concerns are relatively minor. There are security problems, but most are well managed. There are operational concerns, but those can be overcome. It’s a complex addition to the platform, but we can justify complication in exchange for significant benefits.

> [...]

> Big changes need strong justification and support. This particular change is bigger than most and presents a number of challenges. The increased exposure to security problems and the unknown effects of this on power dynamics is significant enough that we have to regard this as harmful[1] until more information is available.

> We’re actively working to understand this technology better. The Internet Architecture Board are organizing a workshop that aims to gather information about the bigger questions. That workshop is specifically structured to collect input from the publishing community. The technical details of the proposal will also be discussed at upcoming IETF meetings. Based on what we learn through these processes and our own investigation, we might be able to revise this position.

(Source: https://www.iab.org/wp-content/IAB-uploads/2019/06/mozilla.p...)

That doesn't sound "harmful" to me, it just sounds like they're skeptical, and possibly a bit confused. The meat of their concerns also seem to be primarily political, not technical.

[1]: https://github.com/mozilla/standards-positions

[tyingq]

It's "harmful" in it's current form, and Google hasn't yet committed to addressing all of Mozilla's concerns. Mozilla could have chosen a different label than "harmful". They did not. They didn't change it either.

Last I understood, Apple had similar concerns. I find it unlikely that both of those orgs are making noise for no good reason.

[Ajedi32]

There are only 6 labels to choose from. They actually couldn't have picked a different label without making up a new one, or without making their choice of label even more misleading than it already is.

Let's try a different approach. How about this: I've carefully read over both the spec itself and everything Apple and Mozilla have to say on the matter (that I was able to find anyway), and have come to an informed conclusion: both Apple and Mozilla are wrong. (That's actually a rather poor, oversimplified summary of my position. But no moreso than "harmful" is a poor, oversimplified summary of Mozilla's position.)

You are making an argument from authority. I consider myself sufficiently well informed on this particular topic to be making arguments based on facts and reason. I don't find you repeatedly citing a one-word summary of Mozilla's position on the matter (which is actually quite nuanced, and not at all able to be summed up by a single word) to be particularly convincing.

[JohnFen]

> I don't see how you can call that a "lie".

It's a lie because the URL being displayed does not reflect the source of the bits.

> If I'm offline and I open an offline cached page in my browser, would you call it a lie if the browser displays the URL I originally downloaded that page from

That's a bit of a gray area. Yes, it is a lie (the browser should provide an indication of the actual source of the bits). On the other hand, the cache was created by you and exists on your own machine, so it's more of a little white lie in that case.

[echeese]

What about something like Cloudflare, would you say they're lying when they return a cached file instead of contacting the origin server?

[JohnFen]

Yes, because Cloudflare isn't telling me that it's coming from them. However, that's already a lost battle.