jasegSince it seems #Google has decided to uni-laterally force through their new anti-#adblock #DRM euphemistically named "Web environment integrity", I decided to add a little bit of code to my website that blanks out the page and displays a protest message with a link to the firefox download page when you visit it from a browser with this DRM feature. Here's the source inside one toot, feel free to copy and put it at the end of your website's <body> before the closing tag:
Florian<script>if(navigator.getEnvironmentIntegrity!==undefined)document.querySelector('body').innerHTML='<h1>Your browser contains Google DRM</h1>"Web Environment Integrity" is a Google euphemism for a DRM that is designed to prevent ad-blocking. In support of an open web, this website does not function with this DRM. Please install a browser such as <a href="https://www.mozilla.org/en-US/firefox/new/">Firefox</a> that respects your freedom and supports ad blockers.';</script>
I'm using the API from https://github.com/chromium/chromium/blob/6cf344c02b1bcf07114d512ee389894239416007/chrome/test/data/android/environment_integrity.html#L4 here, if you know a better way to detect the presence of the feature, please go ahead and tell me :)
LiteralGrill@jaseg Well now, I think I'll try adding this to my site! Excellent idea :D
ashe@jaseg checking for the property on `navigator` is pretty standard in terms of JS feature detection so we think this is about as good a solution as any
(unless/until they start obfuscating it)
toby
Guades@jaseg JavaScript dev for a living here, that's the best way to do feature detection, yeah.
You may want to consider making a new node in code, clearing body and appending it inside body as opposed to slamming innerHTML though 🤷♂️
@guades I apologize for the innerHTML slam. I know better, but I wanted to prioritize the protest message under my instance's 500 character toot limit 😅
mirabilos@jaseg thankfully my GotoSocial does not have such a puny limit. I found also out (the hard way) that you have to clear all CSS, otherwise the new content may be illegible.
New approach:
<script type="text/javascript"><!--//--><![CDATA[//><!--
document.addEventListener("DOMContentLoaded", function () {
/* do not run if browser lacks the antifeature */
if (navigator.getEnvironmentIntegrity === undefined)
return;
/* disable all CSS */
for (let elt of document.getElementsByTagName("link"))
elt.disabled = true;
/* replace body content */
var r1 = document.createElement("h1");
r1.appendChild(document.createTextNode("Your browser contains Google DRM!"));
var r2 = document.createElement("p");
r2.innerHTML = '“Web Environment Integrity” is a Google euphemism for DRM (digital restrictions management) that is designed to prevent ad-blocking and allow only browsers authorised by Google (as opposed to e.g. browsers on hobbyist or aftermarket operating systems). In support of an open web, this website does not function with browsers that utilise this kind of DRM. Please install a webbrowser such as <a href="https://invisible-island.net/lynx/lynx.html"><tt>lynx</tt></a> or <a href="https://www.mozilla.org/en-US/firefox/new/">Firefox</a> that better respects everyone’s freedom and supports ad blockers.';
document.getElementsByTagName('body')[0].replaceChildren(r1, r2);
}, false);
//--><!]]></script>
Of course I could do the whole creating of text and element nodes for r2 as well but I figured it’s not that bad for a newly created node tree. If it is @guades please do tell me, I’m more of an assembly, C and Korn Shell developer.
(I put the whole stuff in front of </body> and reversed the conditional in the forth line to test it.)
That being said (I used the OP test conditional above), should it not be…
if (typeof(navigator.getEnvironmentIntegrity) === "undefined")
… because otherwise you can get error messages for use of undefined variables? I think I ran into that once.
Simon Brooke@mirabilos @jaseg @guades Apache mod_rewrite is (as usual) your friend. Search down this page for 'Browser Dependent Content':
@simon_brooke @jaseg @guades huh no, then I would have to duplicate all files. I’d just rather write the JS in a way it doesn’t break other browsers. With usefulJS I think I succeeded (I did test it in Opera 9, and stuff works; I don’t have any need for things to work on old MSIE versions, just not break beyond expectation there).
@simon_brooke @jaseg @guades no, because you have to switch that on the js level depending on whether the browser has the attestation extension or not
@mirabilos @jaseg @guades No, you can do it with mod_rewrite, on the user agent string, which contains the browser version.
https://www.whatismybrowser.com/guides/the-latest-user-agent/chrome
@simon_brooke @jaseg @guades no, because comparing by versions is not the correct way to detect this, neither complete nor safe from false positives
@simon_brooke @jaseg @guades what you could do is to change the location in the js instead, sure. That’d allow for using the site’s proper style, even. Not a simple drop-in solution, but not bad either.
@mirabilos @jaseg @guades That may be what you do.
You do you.
@jaseg I feel that this is more likely to just make people not use a website than switch browsers, sadly... People are resistant to change. :(
I think I might just check for a Chrome user agent serverside and serve a warning about it in the masthead.
I think I might just check for a Chrome user agent serverside and serve a warning about it in the masthead.
Free Pietje 🇵🇸 🍉@jaseg
Yours is much better, but I proposed a simple filter on UserAgent here:
https://x0f.org/@FreePietje/110782227575268067
Sharing it as I like my
"The fix is to switch to Firefox.
Or circumvent this simple attestation by changing your UserAgent"
Free Pietje (@[email protected])
IIRC some time ago the idea was floating around to create a new HTTP status/error code: 666 That was for the previous horrible thing that G👀gle did. How about we implement it this time around? Something like: - If UserAgent = G👀gle/Chrome/Chromium/etc then return 666 with "This page was written for the Open Web, but your browser is against that, so we can't serve you this page. The fix is to switch to #Firefox. Or circumvent this simple attestation by changing your UserAgent" #GoogleIsEvil
Unknown Universe@jaseg Thank you for this, adding it to my site as soon as I can
gravitos 
@jaseg my issue with Firefox is that its android version does not support 98% of extensions anymore. and the only browser for android that supports all the extensions i use (like, say, Stylus for blobcat-shaped buttons on fedi posts, FediAct for remote instance reblobs, Tap To Tab for navigation convenience, Consent-O-Matic against all that usual cookie bullshit) is a chromium-based Kiwi, that also, apparently, has this BS already merged. so yeah, unless there is a firefox fork that offers at least some support for arbitrary desktop extensions for android, im fucked 
also, desktop Firefox is ugly (tho this is fixable with userCSS) and mobile Firefox is not adapted to big screens since the exact moment they fucked up the extensions on mobile.
also also, new Firefox can remotely disable your extensions per-website because FUCK USERS.
any actually good browsers?
@gravitos I don't believe firefox is the perfect browser. There is always room to improve. It's just a lot better than chrome, and more importantly, aligned with it's users interests. Sometimes the second worst option is all we've got.
James Henstridge
RAOF@gravitos @jaseg while it's a bit “beware of the leopard”, it is possible to use arbitrary extensions on mobile (beta) Firefox.
Dan Joneslynx is a good browser, but not a particularly good mobile browser
Ugghhh. I switched to Kiwi because it was the only Android browser to support the Bypass Paywalls extension.
But, I was able to use most any Firefox extension on most Android Firefox forks. It does t require the extension be on Mozilla Add-Ons, and I have an account there. Just make a custom add-on collection of any that I want to use.
It's a pain to have to add them to the collection before I could use them, but it worked. Used it on Iceraven, Mull, and Fennec F-Droid.
js
DeepBlue V7.X@jaseg Now I just need a good blog post explaining why that DRM is bad, so that I can link it as a reference from that block :)
@deepbluev7 I'd suspect either @pluralistic has already written something, or is going to write something when this hits the first release.
@jaseg @pluralistic I guess https://vivaldi.com/blog/googles-new-dangerous-web-environment-integrity-spec/ works as well :)
Trolli Schmittlauch 🦥@jaseg Done, thanks.
@jaseg Btw, I'd need someone to test this for me. Either Chrome on macOS (the "worst"/ "most-proprietary" browser combination I have access to) doesN#t have WEI einabled, or I did the scripting wrong.
https://schmittlau.ch/
https://schmittlau.ch/
Softwarewolf@jaseg I have a new Apache (please don't judge me) rewrite rule for all my webbed sites now
RewriteCond %{HTTP_USER_AGENT} .*Chrome.*
RewriteRule ^(.*)$ /get_firefox.html [L]
Kyle Brown 
@jaseg "In support of an open Internet we support your right to use ad blockers" que?
Nora Tindall
BrightFlame 🌟☀️🌙@noracodes @jaseg thank you for this thread, all. I suggest using non-jargon in the messaging. I'm not a tech person and don't know what DRM stands for. I'd love to fight back against ggl et al, but it would help to have the acronym spelled out and be a non-tech term. 1/2
2/2: I only use Firefox and have specific containers for various sites. and i have ghostery and adblock on my computer. Noticed recently that the Firefox facebook container is no longer blocking out ads. Maybe these changes you're discussing explain why? @noracodes @jaseg
moving_target01
vibhor 🍑 🏳️🌈@BrightFlame @noracodes @jaseg well fb is not letting me login in firefox with the level of filtering I have been doing ! So i left fb altogether !
@BrightFlame I'm sorry for the brevity in my original toot. My instance has a 500 character toot limit, and I tried to pack as much as I could in there ^^
gkrnours@BrightFlame @noracodes @jaseg DRM stand for digital right management. It's a set of technic like preventing you from skipping ads at the beginning of a 10 years old DVD. Here it would give websites the ability to refuse serving you content if you have an ad blocker installed
@noracodes Your website is so pretty!
Max B@noracodes How are you testing this? I don't see it in my Chromium so I guess WEI hasn't made it into the Ubuntu repos
@jaseg It needs a <p> tag after the header, or it will line before and after the <a> tag.
Qfinity@jaseg thank you for this, yes I did more or less the same. Since I use Brave (lets just say, they already did much of this already and Brave Browser is uses the Chromium source code, I had to introduce only slight modifications, for those not using Brave. So on my server and by ext. domain/sites I recommend people use Brave. Also I stopped using Google Search a long time ago, Brave's own Search is much better than even duckduckgo
[Yaseenist] CauseOfBSOD 
@jaseg will hopefully remember to do this when i get back home
Nemo_bis 🌈@jaseg Nice. As many may not know what a DRM is, I suggest to spell it out as #DigitalRestrictionsManagement.
@nemobis I agree! I only had a 500 character toot limit to work with! This thing is definitely a hack and could be improved. It also doesn't mesh well with some kinds of CSS.
jelte@jaseg Since ad platforms are a known malware vector that adblockers protect against, can we conclude that google is forcing viruses on our computers?
Simon Frankau@jaseg Any thoughts on extending the block to Safari? (https://httptoolkit.com/blog/apple-private-access-tokens-attestation/)
Matty@jaseg it brings me memories back.
of when websites would display messages such as "this site does not work on internet explorer, and that's a feature".
back when we believe on the lie of "do not be evil" from google.
well, turns out chrome has become the internet explorer it killed.
Aleksandrs Safronovs@jaseg please add a ling to DuckDuckGo and Brave too 🖤🖤🖤
Michel Bozgounov 🇺🇦 🇪🇺@jaseg I think it's a bit discriminating to block people based on what browsers they are using? Perhaps better would be:
- a JS script detects the DRM feature
- if there's no DRM feature detected, do nothing
- if the DRM feature is detected, a notice (in simple HTML) is displayed at the top or bottom of the page; the notice could be along these lines: "The browser you are using has an anti-user DRM feature enabled <link to more information>. We suggest using <Firefox, Safari, etc.> instead."
?
- a JS script detects the DRM feature
- if there's no DRM feature detected, do nothing
- if the DRM feature is detected, a notice (in simple HTML) is displayed at the top or bottom of the page; the notice could be along these lines: "The browser you are using has an anti-user DRM feature enabled <link to more information>. We suggest using <Firefox, Safari, etc.> instead."
?
@jaseg P.S. If you think what I suggest makes some sense, a sample working working code will be appreciated! (And btw, using CodePen or a similar service will also allow to easily overcome the character limit.) :)
catraxx 
@jaseg Yeah. Fuck em. I am sick and tired of google trying to control the web.
serxozTy! Just added to my personal site ;D
Clément CG@jaseg This is genius. Great. Thanks for sharing.
Reina 
@jaseg Reminder to wrap the body text inside a `<p>` element for better accessibility :)
Hippo 🍉@jaseg I first came across this toot in isolation and was going to say "I took a while to get the joke but it was worth it."
Then I realised it wasn't a joke...which is actually even better! Let's hope this trend catches on!