Re: Call for Consensus: Subresource Integrity to FPWD. from Mike West on 2014-03-11 (public-webappsec@w3.org from March 2014)

From: Mike West <mkwst@google.com>
Date: Tue, 11 Mar 2014 10:33:42 +0100
To: Adam Langley <agl@google.com>, Yoav Weiss <yoav@yoav.ws>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Devdatta Akhawe <dev.akhawe@gmail.com>, Frederik Braun <fbraun@mozilla.com>, Joel Weinberger <jww@google.com>
Message-ID: <CAKXHy=cf8gm3RySW+KtFdezc4jLS8JzqzJWTJK-CJv=uLEiTWg@mail.gmail.com>

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Mon, Mar 10, 2014 at 6:30 PM, Adam Langley <agl@google.com> wrote:

> On Wed, Mar 5, 2014 at 3:21 AM, Mike West <mkwst@google.com> wrote:
> > Hello, lovely webappsecians. Remember that lively discussion we had in
> > January? Let's pick that back up again.
> >
> > This is a call for consensus to accept the following draft of Subresource
> > Integrity as a First Public Working Draft:
> >
> > http://w3c.github.io/webappsec/specs/subresourceintegrity/
> >
> > Subresource Integrity defines a mechanism by which user agents may verify
> > that a fetched resource has been delivered without unexpected
> manipulation.
> > There's still quite a bit of work to be done, but I believe we're in good
> > shape for an initial publication. Do you agree?
>
> I think issue 4 is critical.
>

I agree.

The only open question in my head is whether we'd require _all_ of the
supported integrity metadata sets to match, or just one.

> For issue 7, I would think that metadata could be omitted for
> resources from the same origin because that's the source of the
> metadata in the first place and so must be trusted.
>

This makes good sense.

> I think issues 10-12 need to be resolved either by omitting these
> elements from the v1 spec, or including a progressive hashing mode.
>

I agree.

> Additionally, srcset[1] contains some challenges and probably merits
> an issue in the draft.
>
> [1] http://www.w3.org/html/wg/drafts/srcset/w3c-srcset/

Yes, I hadn't considered that at all, and you're entirely correct that it's
challenging. Is srcset the syntax folks have settled on, or is discussion
around alternate syntaxes still ongoing?

Yoav? Can you comment on that question?

-mike

Received on Tuesday, 11 March 2014 09:34:30 UTC