This CL moves the base::Feature from content_features.h to
a generated feature from runtime_enabled_features.json5.
This means that the base::Feature can be default-enabled
while the web API is co...
Can someone ELI5 how this could prevent a fork of Chromium from just not playing nice and telling the website “yeah yeah, it’s all untempered *wink wink*” and then still remove/alter stuff as it pleases?
Edit: ok I think I got it … it’s basically the server that decides if it trusts the judgment of the client or not. Can’t wait to see that cat-and-mouse game going on 🙄
it’s basically the server that decides if it trusts the judgment of the client or not. Can’t wait to see that cat-and-mouse game going on
This is partially correct. The server will check that you have a valid token issued by a trusted third party, who will almost certainly be Google, Microsoft, or Apple. When you connect to the web page, your browser will give this token to the server and say “hey look I’m legit.” The token will have enough information on it to identify that it is relevant (being provided by a client that matches the hardware it is meant to verify) as well as a cryptographic signature that verifies it is in fact from the trusted third party. So it’s less the server trusting the judgement of the client than it is the server trusting the judgement of whatever third party is attesting to your system.
Can someone ELI5 how this could prevent a fork of Chromium from just not playing nice and telling the website “yeah yeah, it’s all untempered *wink wink*” and then still remove/alter stuff as it pleases?
Edit: ok I think I got it … it’s basically the server that decides if it trusts the judgment of the client or not. Can’t wait to see that cat-and-mouse game going on 🙄
This is partially correct. The server will check that you have a valid token issued by a trusted third party, who will almost certainly be Google, Microsoft, or Apple. When you connect to the web page, your browser will give this token to the server and say “hey look I’m legit.” The token will have enough information on it to identify that it is relevant (being provided by a client that matches the hardware it is meant to verify) as well as a cryptographic signature that verifies it is in fact from the trusted third party. So it’s less the server trusting the judgement of the client than it is the server trusting the judgement of whatever third party is attesting to your system.