- From: Kouhei Ueno <notifications@github.com>
- Date: Wed, 31 Oct 2018 23:10:15 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 1 November 2018 06:10:37 UTC
Thank you for the feedback! > We were hoping to find more details about the validity-url. What happens if oa cert matches but the validity URL does not load? Does that fetch never happen? Short answer: If the signature is valid, the UA will load the content without fetching the validity URL. We expect only intermediates to fetch the validity-url, not UAs. A UA *could* fetch the validity-url to get a live assurance that the signed data is current, but the current loading spec only discusses the UAs which do not do this. For those UAs without validity URL support, only the validity of the validity URL (whether they pass a URL parser && has a https scheme && is same-origin with the signed url) is checked and the resource hosted at the validity URL is not checked. We have not yet specified how loading should work for the intermediates which support validity-urls. I just opened an issue https://github.com/WICG/webpackage/issues/324. Regarding SXG handling in fetch() and how the platform API should look for Bundles, we are still exploring how these should work. We will be sure to answer your questions in the upcoming loading spec. -- @jyasskin, @nyaxt, @kinu -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/235#issuecomment-434941339
Received on Thursday, 1 November 2018 06:10:37 UTC