So... it's being implemented anyway, just only for the embedded browser?
This doesn't make me feel better. And it's a very Google type of answer to give: announce that you're moving forward anyway, but pretend like you're listening to feedback and giving everyone what they want.
It's annoying that the entire retrospective is two sentences. Still no conversation with the dev community of course, just two sentences that say it's not being considered and we move on. And it's convenient that the new API is no longer a proposal, it's just an internal program that Google is building on their own.
----
Off the top of my head, I think some of the concerns here still apply? Not all of them, this is better than the original proposal, but this is now dividing the web up into webviews that are supposedly only going to work on Android? Because iOS I don't think supports this kind of thing -- maybe I'm wrong though. We still have this inversion of the Open web where clients attest DRM capabilities to the server, which is not how the web is supposed to work. But I guess that's supposedly OK because the idea is you'd only use this API on a site that was only ever intended to be viewed in a webview for a single app? I'll admit I don't know how common that is.
And all of this to paper over embedded web views, which arguably should be used less on Android anyway. I don't know, that could be a long conversation; but the point being I'm still worried about the announcement -- less worried, but still worried.
It's both so weirdly narrow and so unsuitable for the goals that the original proposal outlined that my most cynical side almost feels like it's being done purely because Google doesn't like complete capitulation and wants to have the last word? But it's also still so weirdly antithetical to how an Open web works (even within that very narrow band of apps it would apply to) that I can't shake the feeling there's some horrible side-effect that isn't immediately obvious to me.
Of course I don't know the details or whether or not it'll all be fine; maybe this will be nothing and mostly won't matter for anything. It's hard to tell because we're no longer talking about a standards proposal as far as I can tell. It sounds like Google is just going to do this internally and roll it out to small numbers of partners and then will launch it and that will be that, no community feedback required. Which... :shrug: not having your attestation plans be publicly available to comment on is definitely a way to avoid criticism, I guess.
The world needs to stop looking to a global data broker who feeds data to advertisers as a legitimate and good faith steward of Web technologies.
It violates the separation of concerns between server and client, for starters. Clients are user agents, i.e. they do what the user wants, not what the server wants. This fundamental misunderstanding/skewing of perspective is part of the problem.
If we want HTTP(S) and friends to remain a free and open protocol for all, we have to cut Google out of the decision-making process. They've been behind Encrypted Media Extensions, they've been behind Manifest v3, and now WEI.. The Web doesn't belong to Google. They can go do QUIC and leave HTTP alone.