[markussss]

I think that that is supposed to prepare web apps for verification in the browser, in order to not allow them to run or connect to a remote server unless they are confirmed to be not tampered with, and that the main goal of this is to disallow usage of websites and related services unless ads are served. An adblock-blocker in the browser, sold as a security feature that protects against no real threats.

I refuse to believe that rouge browser extensions and userscripts are such a big problem that Meta decides to invest in security against those attack vectors.

[danShumway]

Because it's Facebook, I can't say that they aren't planning that.

But if anyone else mentioned this tech, I would assume it was benign. Subresource Integrity (https://developer.mozilla.org/en-US/docs/Web/Security/Subres...) is primarily aimed at servers proving to clients that their code is unaltered, not the other way around. I haven't personally tried it before, but I can't imagine why extensions wouldn't be able to override integrity strings or remove them from script elements.

For WhatsApp I'm not sure I see the point necessarily, but it's an understandable goal for Open Source and offline webapps or for apps that use 3rd-party CDNs. The main problem for personally hosted code is that the integrity string is also getting served from the server, so there's no reason it can't also be altered if the server that gives the HTML is compromised.

In theory with some tweaking and a way to pin integrity strings in a user-controlled way (which an extension could do I suppose) it could be a step towards allowing users to know when a PWA is being updated, which would be helpful for some security models. In its current state it's fairly niche and I'm not sure how useful the standard is outside of securing CDN requests.

Although why that would matter to WhatsApp, :shrug: It does feel weird that Facebook would be leading that push.

[babyshake]

Do ad blockers modify client-side scripts? I figured they just use some feature allowing extensions to block network requests. If they are modifying client-side scripts, then it might be tricky for a tool like this to allow some forms of modification without allowing other forms of modification.

Here's what ChatGPT says:

Most ad blocker browser extensions primarily work by intercepting and blocking network requests made by web pages to known advertising servers or domains. When a web page loads, it typically requests various resources such as images, scripts, and stylesheets from different servers. Ad blockers analyze these requests and compare them against a list of known ad servers or patterns commonly associated with advertising content. If a match is found, the ad blocker prevents the resource from loading, effectively blocking the ad from appearing on the page.

Some ad blockers also employ additional techniques such as element hiding, where they modify the Document Object Model (DOM) of the webpage to hide elements that are recognized as ads. This can include hiding divs, iframes, or other HTML elements that contain advertising content.

Overall, while there are variations in implementation, most ad blockers primarily rely on blocking network requests to known ad servers or domains, with some employing additional techniques to hide or remove ad content from web pages.

[Ferret7446]

Isn't it fundamentally impossible to secure a client? You can always write your own app that sends exactly the same request as a verified client.