Improving the trustworthiness of Javascript on the Web
October 22, 2025
It would be nice if we could get these properties for our end-to-end encrypted web application, and the web as a whole, without requiring a single central authority like an app store. Further, such a system would benefit all in-browser uses of cryptography, not just end-to-end-encrypted apps. For example, many web-based confidential LLMs, cryptocurrency wallets, and voting systems use in-browser Javascript cryptography for the last step of their verification chains.In this post, we will provide an early look at such a system, called Web Application Integrity, Consistency, and Transparency (WAICT) that we have helped author. WAICT is a W3C-backed effort among browser vendors, cloud providers, and encrypted communication developers to bring stronger security guarantees to the entire web. We will discuss the problem we need to solve, and build up to a solution resembling the current transparency specification draft. We hope to build even wider consensus on the solution design in the near future.
Source: Improving the trustworthiness of Javascript on the Web
Web application security can be particularly challenging because of the integrity of the resources that may be included in a web application.
Native apps are typically self-contained bundles where once the app is built and deployed, the resources (like the code that runs, images, and so on) don’t, indeed can’t change.
Web applications are inherently dynamic. Whatever leaves at the end of a URL, for example, JavaScript (whether that’s our own or third-party script), CSS, images, and so on, can change at any time.
And this presents a very significant challenge to security for web applications.
There are techniques we can use to mitigate these challenges, but the W3C and a number of major cloud providers are working on WAICT (Web Application Integrity, Consistency, and Transparency) to address these challenges at a more fundamental level.
