Signed HTTP Exchanges (SXG)

A month ago, at a conference for developers, Google offered the technology of “portals” , which is designed to provide a new way to load and navigate web pages. In essence, <portal> is a more advanced and modern version of <iframe>. The main difference is that <portal> allows you to navigate inside the content that is embedded on the page from the outside, and <iframe> does not allow this for security reasons. Moreover, <portal> can change the URL in the address bar of the browser, that is, this tag is more useful as a navigation tool.

For Google, this is a very important technology, because it allows you to keep users on the search site, downloading the requested content from other sites through the “portals” in the form of web packages.


')
With portals associated with a few more projects that Google proposes to accept as standards. Together, they allow you to pack web site resources, digitally sign them — and transfer them through third-party sites . What is needed for the "portals".

• Signed HTTP Exchanges (SXG) ;
  
• format of web packages with digital signature Web Packaging (transfer to a user of third-party site resources, including through a peering network);
  
• changes to the fetch specification .

Now portals are supported in Chrome Canary for Android, Mac, Windows, Linux and Chrome OS. True, by default it is still disabled. To enable it in Chrome Canary, you must enable the portals flag in the chrome: // flags / # enable-portals settings.

At the moment, only Chrome supports this technology, other browsers have not expressed interest. Moreover, Mozilla has now come up with a well- argued criticism of why Web Packaging technology is not needed and even harmful to the Internet.

Why is Mozilla against

Mozilla emphasizes that this method makes it difficult to implement the same-origin policy — a critical security mechanism that allows you to isolate potentially dangerous web resources, reducing the attack surface. In particular, this mechanism limits the interaction of scripts with third-party domains. In turn, Google offers to rely on digital signatures.

“At its core, replacing a source (origin) fundamentally changes the way the Internet works,” the Mozilla document says. - Content is no longer required to follow links to sources. The place where the content is created can be completely separated from the place where it is received. ”

The developer of the Firefox browser worries that allowing aggregators to post and broadcast other people's content increases security risks and creates new threats: for example, scripts that an attacker compromises a server key or fraudulently obtains a certificate to create malicious content on behalf of the source.

Given that this content can be cached or stored in several places, it may take several days between revoking a certificate and revoking malicious distributed web packages.

The company also voices several other concerns about additional complexity (which negatively affects security), possible performance loss, the imposition of specific Signed HTTP Exchanges for signing packages and storage overhead for publishers and aggregators.

Although these technical problems can be solved by refining the standard, Mozilla is still not sure that the Web Packaging standard is useful for the Internet: “The question remains that this fundamental change in the way content is delivered on the Internet represents a problematic shift in the balance of power between actors,” Firefox developers. “We have to consider whether aggregators can use this technology to impose their will on publishers.”

Behind the general wording, Mozilla is suspicious that by introducing new standards, Google is trying to change the balance in its favor and assume the function of the main third-party content provider. These concerns are aggravated by the fact that Chrome has now become a de facto standard browser on the Internet, and numerous third-party browsers are based on Chromium, including the new Edge and Opera. It already looks like a monopoly. Google is close to pushing any standards without industry consent, simply by implementing them in Chrome. In such a situation, web developers will first accept the innovation, and then other browsers will have to obey, as was the case during the monopoly of Internet Explorer.

Mozilla believes that adopting Web Packaging will simply increase web centralization, increasing the influence of Facebook and Google as content distributors.

Considering how other technologies and market choices influenced the balance of power on the Internet - talking about Google AMP technology, authorization on websites through Facebook, changes in Google search rankings, browser market share and so on - Mozilla considers it necessary to further study the implications of implementing Web Packaging before accepting this standard.

“Big changes need serious justification and support. This particular change is particularly significant and presents a number of problems. The increased susceptibility to security problems and the unknown effect of this on the balance of power are significant enough for us to view this technology as harmful until more information is available, ”Mozilla concludes.

---