[idreyn]

WEI acts as proof that "this is a browser", not "this is a human". But browsers can be automated with tools like Selenium. I'd guess that with the advent of complicated, JS-based captchas, browsers under automation are already the major battleground between serious scrapers and anti-bot tools.

I also don't understand how WEI does much to prevent a motivated user from faking requests. If you have Chrome running on your machine it's not gonna be too hard to extract a signed WEI token from its execution, one way or another, and pass that along with your Python script.

It looks like it basically gives Google another tool to constrain users' choices.

[Spivak]

> But browsers can be automated with tools like Selenium

And I will bet anything that if the browser is being instrumented via webdriver it will attest as such. You would have to automate the browser externally.

[danShumway]

Will it attest that it's running an extension? I can intercept and modify web requests, redirect web requests, and send web requests to other domains through a web extension. I can also scrape the HTML and I can use native messaging or normal HTTP requests to send that information out of the browser. And I can also modify CORS headers to get rid of restrictions around sending requests from another domain.

I can't literally emulate mouse movements but the only place that matters is... captchas. If you're not watching for those kinds of behaviors, then a browser even without webdriver can be automated just fine. And if you are watching for those behaviors, then you're running a captcha, so what is WEI helping with?

Google claims this is not going to impact browser extensions, debugging, etc... but if it's not going to impact that stuff, then it's not really helpful for guaranteeing that the user isn't automating requests. What it is helpful for is reducing user freedom around their OS/hardware and setting the stage for attacking extensions like adblockers more directly in the future.