W3C home > Mailing lists > Public > public-html@w3.org > August 2013

Re: [Feature Proposal] New attributes "library" and "version" on script tags

From: Nathanael D. Jones <nathanael.jones@gmail.com>
Date: Sat, 10 Aug 2013 14:13:11 -0400
Message-ID: <CAG3DbfWQHv_Thoyn67f42=o8pMSivoiwFgVm9f7tx_27U8nNpw@mail.gmail.com>
To: Fran├žois REMY <francois.remy.dev@outlook.com>
Cc: Chris Bojarski <chris@cbojar.net>, HTML WG <public-html@w3.org>
I would suggest a generic approach:

1. Permit authors to specify a hash of the decompressed,
encoding-normalized file contents, for any script, style, or image. Only
the encoding for textual mime-types should be normalized, and it must be
lossless normalization to prevent exploitation.

2. The hash must be encoded in URL-safe Base 64 (see RFC 4648
http://tools.ietf.org/html/rfc4648#page-7)

3. The hash algorithm shall be SHA-2 512. (64 bytes).

Example: <script src="http://url"
sha2="base64-url-encoded_64_byte_hash"></script>

4. If specified, and if the downloaded, normalized file matches, the file
will be cached with high priority.

5. Any future website, app, or domain requesting the same hash (regardless
of URI associated) will be given the cached file instead, with no network
request.

6. Browsers may choose to implement higher-level caching (such as at the
AST level) to eliminate parsing costs associated with popular hashes.

Note that SHA2 has no known collisions and exceeds the cryptographic
security of most SSL implementations. It would be quite hard to break, and
certainly not the weak link. This approach would not require vendors to
include any libraries, but would provide significant performance gains for
users who opt-in. Hash verification would only be required the first time a
resource is requested; future uses would not incur any cryptographic
overhead.



On Sat, Aug 10, 2013 at 2:06 PM, Fran├žois REMY <
francois.remy.dev@outlook.com> wrote:

> Sorry, I'm strongly against this.
>
>
> If the proposal is to have browsers ships libraries by default, then this
> is clearly a no from my point of view.
>
> Firstly, it breaks net neutrality, and it makes it harder for new
> librairies to gain traction as they would require a full download while
> some other ones would benefit from get-go download.
>
> Secondly, this would slow down the adoption of new versions as people will
> become afraid of triggering downloads on older browsers that do not ship
> with the new version of the library built-in.
>
>
> I thought the proposal was about making a better use of the local cache by
> preventing independent websites to constantly redownload the same files
> even if they're hosted on multiple sites, which would be possible using a
> digital signature system.
>
> That would bring you the benefits of a CDN without having a centralized
> CDN anyway. Librairies that are used a lot possibly gain extended cache
> benefits, but no library gets a special status under this umbrella.
>
> I would support such a proposal, but not a proposal whose goal is to
> integrate libraries into browsers.
>
>
Received on Saturday, 10 August 2013 18:13:58 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 29 October 2015 10:16:34 UTC