Hi! Within the scope of this launch the API was exposed just to `Window`, despite the spec mentioning <https://wicg.github.io/web-smart-card/#extensions-to-the-workernavigator-interface> exposing it also to dedicated and shared workers. I want to bridge this and make it available to workers as well (without changing the current security/privacy measures, in particular the focus requirement for `connect()`). Does anyone have anything against this?
Have an awesome day, zgroza On Tue, Oct 7, 2025 at 2:12 AM Daniel Clark <[email protected]> wrote: > LGTM3 > ------------------------------ > *From:* Mike Taylor <[email protected]> > *Sent:* Monday, October 6, 2025 4:09 PM > *To:* Alex Russell <[email protected]>; blink-dev < > [email protected]> > *Cc:* Reilly Grant <[email protected]>; Zgroza (Luke) Klimek < > [email protected]> > *Subject:* [EXTERNAL] Re: [blink-dev] Intent to Ship: Web Smart Card API > > > LGTM2 (thanks for the very well-written explainer, btw). > On 10/6/25 2:19 p.m., Alex Russell wrote: > > LGTM1 > > On Thursday, October 2, 2025 at 12:57:05 PM UTC-7 Reilly Grant wrote: > > LGTM as an IWA OWNER (3x LGTM from Blink API OWNERS are still required > according to the IWA-specific API launch process > <https://www.chromium.org/blink/launching-features/isolated-web-apps/>). > > Similar to Unrestricted WebUSB, this API is granting access to devices > which we've made an explicit decision not to give to normal web sites. The > additional integrity provided by IWAs allows us to make a meaningful > decision that if access is granted to an app then the app's behavior is > well-known and cannot be compromised by common attack vectors. > > This API exists to support specific, mainly enterprise-focused, use cases. > On the broader web device-based authentication solutions such as WebAuthn > are more appropriate. > Reilly Grant | Software Engineer | [email protected] | Google Chrome > <https://www.google.com/chrome> > > > On Thu, Oct 2, 2025 at 6:39 AM Luke Klimek <[email protected]> wrote: > > Contact emails > > [email protected], [email protected] > > Explainer > > https://github.com/WICG/web-smart-card/blob/main/README.md > > Specification > > https://wicg.github.io/web-smart-card > > Summary > > Enables smart card (PC/SC) applications to move to the Web platform. It > gives them access to the PC/SC implementation (and card reader drivers) > available in the host OS. > > > Administrators can control the availability of this API either: > > - Globally—using the DefaultSmartCardConnectSetting policy. > - Per-application—using the SmartCardConnectAllowedForUrls and > SmartCardConnectBlockedForUrls policies. > > > Blink component > > Blink>SmartCard > <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3ESmartCard%22> > > Web Feature ID > > None > > TAG review > > This is an IWA-only API, and TAG has made it clear recently that they > don't want to review IWA-related stuff. Relevant statement: > https://github.com/w3ctag/design-reviews/issues/842#issuecomment-2917031448 > > TAG review status > > Not applicable > > Risks > > > Interoperability and Compatibility > > Other browsers may choose to implement this API, that is however dependent > on adoption of the Isolated Web Apps as a whole. > > Gecko: No signal > > WebKit: No signal > > Web developers: Positive (https://github.com/WICG/web-smart-card/issues/43 > ) > > Other signals: > > Security > > > https://github.com/WICG/web-smart-card?tab=readme-ov-file#security-and-privacy-considerations > > > https://wicg.github.io/web-smart-card/#security-privacy > > This is a highly security-sensitive API. This is why it is currently being > guarded behind: > > 1. > > Isolated Web App installation (and also declaration of the > `smart-card` permission policy in the manifest > 2. > > Fine-grained user-facing permission mechanism that gives the end user > control over the most privacy-sensitive moments (connection to a smart card > reader). > > For more context on the permissions design and how it interacts with > Chrome UI and enterprise policy see go/web-smart-card-api-permissions > <http://goto.google.com/web-smart-card-api-permissions> (sorry, > Googlers-only). > > WebView application risks > > Does this intent deprecate or change behavior of existing APIs, such that > it has potentially high risk for Android WebView-based applications? > > None. > > > Debuggability > > The code using this API can be debugged using the standard tools. > Potential future improvement would be a new CDP domain to allow mocking > system PC/SC to not rely on actual hardware. > > More design explorations at go/web-smart-card-api-cdp > <http://goto.google.com/web-smart-card-api-cdp>, sorry, Googlers-only. > Complexity of this endeavour however makes us defer this at least until > cross-platform launch. This is a part of a broader effort to add WPTs to > this feature: https://crbug.com/40275258 > > Will this feature be supported on all six Blink platforms (Windows, Mac, > Linux, ChromeOS, Android, and Android WebView)? > > No. Underlying implementation highly depends on the system native PC/SC > stack. ChromeOS is the first platform implemented. Also, IWAs themselves > are not currently launched anywhere else. > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> > ? > > No. WPT does not support IWA test environments. Once that support is > available, we can investigate adding IWA-focused WPT tests. Also, > implementation also is highly complex, as the API depends on communication > with the native system PC/SC and actual hardware. Future WPT > implementation, tentatively planned for the cross-platform launch is > tracked here: https://crbug.com/40275258 > > DevTrial instructions > > https://github.com/WICG/web-smart-card/blob/main/HOWTO.md > > Flag name on about://flags > > enable-smart-card-web-api > > Finch feature name > > SmartCard > > Rollout plan > > Will ship enabled for all users > > Requires code in //chrome? > > True > > Tracking bug > > https://bugs.chromium.org/p/chromium/issues/detail?id=1386175 > > Launch bug > > https://launch.corp.google.com/launch/4234437 > > Measurement > > UseCounters: > > 1. SmartCardEstablishContext: Entry point to the API overall. > 2. SmartCardConnect: Entry point to actually using API for > communication with smart card readers. > > > Availability expectation > > API is available only in Chromium browsers for the foreseeable future—no > other browser engine has yet displayed interest in implementing Isolated > Web Apps, which are a prerequisite to this API. Initially API will be > available on ChromeOS only, with intent to implement it elsewhere later (as > Isolated Web Apps are launched on other platforms). > > Adoption expectation > > Expected to be used initially by a small number of developers inside > Isolated Web Apps. > > Adoption plan > > Working directly with developers that are planning to rely on the API. > > Non-OSS dependencies > > Does the feature depend on any code or APIs outside the Chromium open > source repository and its open-source dependencies to function? > > Yes. This API depends on the system-specific PC/SC implementation, as it > is essentially a proxy to it. For the initial launch on ChromeOS, this > extension is the sample provider that should be installed in Chrome for the > API to function: > https://github.com/GoogleChromeLabs/chromeos_smart_card_connector On the > other platforms, we will probably add new dependencies (PCSC on Windows and > PC/SC lite elsewhere) to the Chromium project itself. > > Sample links > > https://github.com/GoogleChromeLabs/web-smartcard-demo > > Estimated milestones > > Shipping on desktop > > 143 > > DevTrial on desktop > > 141 > > > Anticipated spec changes > > Open questions about a feature may be a source of future web compat or > interop issues. Please list open issues (e.g. links to known github issues > in the project for the feature specification) whose resolution may > introduce web compat/interop risk (e.g., changing to naming or structure of > the API in a non-backward-compatible way). > > None. > > Link to entry on the Chrome Platform Status > > https://chromestatus.com/feature/6411735804674048?gate=4552874575527936 > > Links to previous Intent discussions > > Intent to Prototype: > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CA%2BenBd9j9Ucy-BKqfQSk9hZxVG6-qm4H6X3%3DxT9U86KpiOpKeA%40mail.gmail.com > > > This intent message was generated by Chrome Platform Status > <https://chromestatus.com/>. > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CANLtwd0PyL0BsedCr%3Do3%2BXoTRHFRi5O9t9wygwDe_7vf9OhKNQ%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CANLtwd0PyL0BsedCr%3Do3%2BXoTRHFRi5O9t9wygwDe_7vf9OhKNQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/38cd8732-6094-4a4e-95f7-b2c6226a5047n%40chromium.org > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/38cd8732-6094-4a4e-95f7-b2c6226a5047n%40chromium.org?utm_medium=email&utm_source=footer> > . > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/50d7bc9d-d672-4178-bedf-a66867228dd9%40chromium.org > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/50d7bc9d-d672-4178-bedf-a66867228dd9%40chromium.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CANLtwd2MsSJR5xBKefshfYpWnqr%3D%2Bm1ZOgUi2fU-s07yTD5Xyg%40mail.gmail.com.
