Google is well and truly on a roll lately. The Chrome 85 release is jam-packed with new features including the new content visibility property which I wrote about here. Something not many might realise is that Google has experimental support in Chrome 80 for Web Bundles.
What are Web Bundles?
Essentially, it is a new file format which allows resources in a web application to be compiled into a singular file. Think images, Javascript files, CSS and other resources you might find on a webpage. They can all be packaged into a singular file and work offline.
In theory, it sounds cool, but in practice, you can see how this could be abused. When you load a .wbn
file, you don’t see URL’s to resources but rather indexes which have no meaning and are not transparent.
Right now, they are hidden behind a flag you need to enable visiting chrome://flags
Privacy researcher Peter Snyder recently published a scathing takedown of Google’s proposal and cited some valid concerns over the new Web Bundles proposal. Describing Web Bundles, Snyder uses a great analogy of a PDF file.
WebBundles make Websites behave like PDFs (or Flash SWFs). A PDF includes all the images, videos, and scripts needed to render the PDF; you don’t download each item individually.
Part of the concern here is being driven by how this new experimental proposed suite of features could be abused and specifically, used by advertising networks (Google itself is one) to make it impossible to block ads or tracking scripts which would essentially be obfuscated in the bundle.
If you were thinking that Mozilla might also err on the side of caution here and consider this Google-championed proposal as potential harmful — well, it turns out that Mozilla is seemingly supportive of the standard, as made evident here.
Fortunately, there are people championing solutions to the problem of obscured/obfuscated resources inside of wbn
bundles. Naming resources inside of bundles. Some of the concern is people could hide dangerous code like cryptocurrency miners and tracking scripts and they won’t show up in the network tab or be easy to block.
Privacy implications aside, another concern is that web bundles will negate the one benefit that they provide besides blocking ads and trackers: saving bandwidth. The current proposal means bundles are shipped as a whole and do not allow you to ignore certain files or resources which might sap bandwidth (especially important on mobile).
It is worth noting that some of these concerns are being taken into consideration and the use cases page for the emerging proposed standard does mention some use cases.
I see the value in the proposed set of standards, but the concerns surrounding them are very real. The scary thing is Google has already shipped experimental support behind a flag in Chrome, there is a very real possibility this could happen.
As the standard currently stands, we should be concerned. Google has a conflict of interest as they stand to profit more than most if they can find a way to solve the adblocker problem which is a threat to one of the most profitable parts of their business. Where do we draw the line? This all smells of DRM-type thinking.
While ads are just one part of the equation, we need to start holding Google to a higher standard than we currently do as they wield a lot of influence.