RfC: Subresource Integrity; deadline May 26

The WebAppSec community requests review of Subresource Integrity 
<http://w3c.github.io/webappsec/specs/subresourceintegrity/>, specifically:

[[
Fetch Integration
Privacy and Security Considerations
CORS interactions
Future Considerations regarding broader integration into other HTML elements
Extensibility
]]

If you have any feedback, please send it to public-webappsec @ w3.org 
([archive]), using a "[SRI]" Subject: prefix, by May 26.

-Thanks, AB

[archive] <https://lists.w3.org/Archives/Public/public-webappsec/>

-------- Forwarded Message --------
Subject: 	Subresource Integrity - review requested
Resent-Date: 	Thu, 07 May 2015 19:33:16 +0000
Resent-From: 	public-review-announce@w3.org
Date: 	Thu, 7 May 2015 19:30:48 +0000
From: 	Brad Hill <hillbrad@fb.com>
To: 	public-review-announce@w3.org <public-review-announce@w3.org>



Hello,

The Web Application Security Working Group requests review of the following specification before 2015-05-26:

    Subresource Integrity
    http://w3c.github.io/webappsec/specs/subresourceintegrity/
	
The group requests feedback via public-webappsec@w3.org with [SRI] in subject line

This specification defines a mechanism by which user agents may verify that a fetched resource has been delivered without unexpected manipulation.  Specifically, this version uses hashed metadata annotations delivered as a new "integrity" attribute of the <script> and <link> tags.

Level 1 is intended as a "minimum viable" release, targeting what the group believes to be a few high-value use cases with the most manageable requirements, in order to learn how such a mechanism will interact with the large scale architecture of the Web, before proceeding to additional features and scenario targets.

The group has specifically asked for feedback on the following:

============================================
Fetch Integration
Privacy and Security Considerations
CORS interactions
Future Considerations regarding broader integration into other HTML elements
Extensibility
============================================

Sincerely,

Brad Hill
Co-chair, WebAppSec WG

Received on Thursday, 7 May 2015 20:15:53 UTC