1. Introduction
-Todo
-1.1. Motivations
-Todo
-1.2. Examples
--// getEnvironmentIntegrity expects a "content binding" of the request you are -// about to make. The content binding protects against this information being -// used for a different request. -// The contentBinding will be concatenated with top-level domain name and hashed -// before it is sent to the attester. - -const contentBinding= "/someRequestPath?requestID=xxxx" + -"Any other data needed for a request-specific contentBinding..." ; - -const attestation= await navigator. getEnvironmentIntegrity( contentBinding); - -console. log( attestation. encode()); -"base-64 encoding of the attestation payload and signature approx 500 bytes; see below for details" - -// More on attestation validation below -const response= await fetch( `/someRequest?requestID=xxxx&attested= ${ attestation. encode() } ` ); -// Do something with this ... -
2. Key terms
-The web environment is defined as TODO
-3. Attesters
-The term attester refers to a third party capable of returning an Integrity verdict. A Integrity verdict refers -to a response that confirms if the attester trusts the web environment the user agent is -executing in.
-The user agent connects to the attester through an AttesterConnection
.
The user agent SHOULD use separate AttesterConnection
s if the AttesterConnection
stores state in the Integrity verdict that can be used for cross site tracking.
3.1. Token Format
-Todo
-3.2. Browser Acceptance Requirements
-Todo
-3.3. AttesterConnection
--interface { -
AttesterConnection ArrayBuffer (
getAttestation DOMString ); -}; -
contentBinding
-
-
- getAttestation -
-
-
Returns a COSE signed CBOR object as an ArrayBuffer from the attester that contains the Integrity verdict.
-
4. Web Environment Integrity API
-4.1. Extensions to Navigator
-[-Exposed =Window ] -partial interface Navigator { - [SecureContext ]Promise <EnvironmentIntegrity >getEnvironmentIntegrity (DOMString ); -}; -
contentBinding
4.1.1. getEnvironmentIntegrity()
- AttesterConnection
with the attester.
- The getEnvironmentIntegrity(contentBinding)
method, when invoked, runs these steps:
-
-
-
-
Let promise be a new promise
- -
-
Run the following steps in parallel:
--
-
-
-
Let environmentIntegrity be a new
-EnvironmentIntegrity
-
-
Set environmentIntegrity.
- -attestationToken
to attesterConnection.getAttestation(contentBinding). If this fails then: -
-
Resolve promise with environmentIntegrity
-
-
-
-
-
Return promise
-
4.2. EnvironmentIntegrity
--interface { -
EnvironmentIntegrity readonly attribute ArrayBuffer ; -
attestationToken DOMString (); -
encode object (); -}; -
toJSON
-
-
- attestationToken -
-
-
The attestation token is a COSE signed CBOR object as an ArrayBuffer from the attester.
- - encode() -
-
-
The encode method will return a Base64 string representation of the attestation token.
- - toJSON() -
-
-
The toJSON method returns a human readable JSON representation of the attestation token. It will first decode the CBOR object. Useful for local debugging.
-
5. Security and privacy considerations
-5.1. Security considerations
-Todo
-5.2. Privacy considerations
-Todo
-