Subresource Integrity strawman. from Mike West on 2014-01-08 (public-webappsec@w3.org from January 2014)

From: Mike West <mkwst@google.com>
Date: Wed, 8 Jan 2014 12:15:59 +0100
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, Frederik Braun <fbraun@mozilla.com>, Joel Weinberger <jww@google.com>, Brad Hill <bhill@paypal.com>, Anne van Kesteren <annevk@annevk.nl>, Mark Nottingham <mnot@mnot.net>, Tab Atkins <tabatkins@google.com>, Ilya Grigorik <igrigorik@google.com>
Message-ID: <CAKXHy=ezy1rycnCt=iNMOfm73B8Y==wgJNZBaBnjbJ0ZnfGPPA@mail.gmail.com>

TL;DR: A strawman draft of Subresource Integrity is up on GitHub for
review: http://w3c.github.io/webappsec/specs/subresourceintegrity/ Feedback
is ever so appreciated.

Hello, lovely webappsec folks!

Frederik, Devdatta, Joel, and I have put together an initial draft of a
Subresource Integrity spec for discussion. The goal is to define a
mechanism by which user agents may verify that a fetched resource has been
delivered without unexpected manipulation, consistent with the WG's recent
rechartering. We'd very much appreciate you taking a look:
http://w3c.github.io/webappsec/specs/subresourceintegrity/

In short, the spec proposes a mechanism for tying integrity metadata to
resource loads for HTML-, JS-, and CSS-triggered fetches. It adds some
processing to the Fetch algorithms to check whether a loaded resource
matches that integrity metadata, and offers the ability to specify how a
user agent should react to a failed integrity check.

The draft is fairly rough in places, but we think it's reasonably complete
enough to bring to the working group for public discussion. You'll notice
many large red TODO boxes; you opinions and contributions in these spots is
particularly desirable.

The biggest area still under discussion is an optional mechanism by which a
resource may be loaded from a non-canonical source (perhaps over HTTP),
falling back to a canonical source (HTTPS) if manipulation is detected.
This was part of Brad's initial proposal, but I haven't put much work into
specifying how it would work, as it's unclear to me what value it adds for
the author or user. I'm hoping to have some discussion about that to
determine whether it's something we want to pursue.

Thanks for your time!

(CCing a few folks who expressed special interest, or who I poked ahead of
this email for feedback)

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Wednesday, 8 January 2014 11:16:48 UTC