Mozilla 2019 Position
Title: Mozilla’s Position on Web Packaging
Authors: Mozilla
Abstract/Summary: Web packaging proposes a significant change to the web platform in the way that content is delivered and authenticated. From a technical standpoint, the changes are thorough and well-considered. There are some technical costs around security, operations, and complexity, but the specifications take steps to limit most of these costs. The most disruptive feature of the proposal, origin substitution, describes a fundamental change to the security architecture of the web. In addition to a significant increase in complexity, origin substitution creates new angles of attack that site operators need to consider before they adopt the technology. Changes to the way sites operate could result in non-trivial security risks. The main concern is web packaging might be employed to alter power dynamics between aggregators and publishers. At this moment, we don’t understand enough to say definitively that this is damaging to the system. How this technology is deployed matters. Deployment without systems of accountability, oversight, and limitations on use could be harmful. There are no constraints on deployment in the proposals, so much depends on how the technology is used and the incentives around that use. As a large suite of mechanisms, there are parts of web packaging that could be valuable on their own, such as the design of a common resource bundling format. There are also ways in which using web packaging could encourage better security and performance practices from sites. As a whole, and for origin substitution in particular, until more information is available on the effect on the web ecosystem, Mozilla concludes that it would not be good for the web to deploy web packaging.
Other: Request for Mozilla Position