Google's Web Packaging standard arises as a new tool for privacy enthusiasts

Web Packaging will let site owners create signed versions of their pages to distribute via alternative channels.

Chrome Web Packaging

For the past year, Google engineers have been working on a new specification for delivering web pages that may prove quite the useful feature for developers of privacy-first online services.

Named Web Packaging, this is a new way of "packaging" a web page and making it ready for delivery to a user's browser.

In the current state of affairs, when a user wants to load a website, it establishes a connection to the website's server and downloads all the files it needs.

However, Web Packaging allows website owners to create a cryptographically-signed version of the page, in one single file, which they can distribute to users via alternative channels, even without breaking HTTPS support.

Google says that website owners can share these signed versions of their pages via their normal web server, via cache systems, or even using peer devices, such as other users' smartphones and computers.

Ideal for bypassing ISP filters

"This can enable privacy safe pre-loading models because the data to fetch the package doesn't go back to the origin server," said Ben Galbraith, Senior Director at Google, while speaking on stage at the Google I/O 2019 developer conference yesterday.

Web Packaging looks like an ideal solution in cases where nation-states or internet service providers might block access to a website.

Website owners can create signed packages of their sites' pages, which can then be introduced inside a network of peers and shared among users without having to connect to the origin server that might have been blocked locally.

If the cryptographically signed package doesn't validate, then users would know that someone has tampered with the page and its content.

Political news sites can greatly benefit from the technology, but so do sites focused on online piracy, along with other many bad sites.

Spin-off from AMP

But Google never intended to create a new technology for bypassing ISP blocks.

Web Packaging was first announced at last year's I/O conference, and was initially developed to improve the company's AMP (Accelerated Mobile Pages) technology.

Web Packaging was supposed to provide a faster way of delivering news articles via AMP by packing a web page's entire content in one single file --with Google hosting the signed page inside AMP's cache system.

Since then, the technology has been opened to everyone and can be used by all websites, independently from AMP. Google has even open-sourced a command-line tool that lets website owners create signed packages of their web pages to distribute outside of AMP, from their own servers.

However, despite its advantages, Web Packaging is only supported in Chrome Canary, for the moment. Microsoft has expressed support in supporting Web Packaging in a future version of Edge, but other browser vendors have not been open to the idea, with both Apple and Mozilla being opposed to it altogether. For now and the foreseeable future, the technology seems to be set to work only with Chromium-based browsers.

Additional details on Web Packaging can be found in its IETF and WICG drafts [1, 2].

More browser coverage: