W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2017

FYI: signature-based SRI in W3C WebAppSec

From: Mark Nottingham <mnot@mnot.net>
Date: Thu, 16 Nov 2017 10:29:52 +0800
Message-Id: <CB32F185-E554-4687-A644-AD005558741E@mnot.net>
To: HTTP Working Group <ietf-http-wg@w3.org>
Folks here might be interested in this proposal:
  https://github.com/mikewest/signature-based-sri

... which is currently being considered for adoption in W3C's WebAppSec WG. It proposes doing SubResource Integrity (i.e., an integrity check before a browser will use a JavaScript file, for example) using a signature that could be carried in a response header -- a mechanism we've discussed in the past.

See discussion:
  https://www.w3.org/mid/CAKXHy=c3nJw7vGr+6GN9P=HTaT1Mo5_x4r-P-tKjZswS3SAtpw@mail.gmail.com

Cheers,

--
Mark Nottingham   https://www.mnot.net/
Received on Thursday, 16 November 2017 02:29:32 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 16 November 2017 02:29:37 UTC