W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2018

Extending Subresource integrity to more elements (<a>, <img>, etc.)

From: Bertil Chapuis <bchapuis@gmail.com>
Date: Fri, 14 Sep 2018 15:01:31 +0200
Message-ID: <CAPb0btg8tX+teg8n46eu31=kCG2TxJU-4ZrTC4+s7SRA0NFMjg@mail.gmail.com>
To: public-webappsec@w3.org
Cc: Kévin Huguenin <kevin.huguenin@unil.ch>, Igor Bilogrevic <ibilogrevic@google.com>, mkwst@google.com
Hello WebAppSec,

My colleagues and I have been doing some research on the use of
checksums to improve the security of web downloads (i.e., integrity
verification of downloaded files). One of the solutions mentioned in
the paper to improve the usability of checksum-based integrity
verification is to extend Subresource integrity (SRI) to <a> elements
(this idea is in the air for quite some time now). Extending it to
other elements such as <img> would make sense as well. A brief
explainer is available here:

https://github.com/checksum-lab/checksum-lab.github.io/blob/master/README.markdown

We would like to push this idea further and are willing to devote some
time into that. Note, however, that we have very little knowledge and
no experience regarding specification writing and W3C processes in
general. Would a revision (v2) of the SRI spec be the best way to
proceed? Is anyone willing to mentor us through this process?

Please let us know what you think about the proposal and what the next
steps on our side would be.

Best regards,

Bertil, Kevin, Igor
Received on Friday, 14 September 2018 13:20:15 UTC

This archive was generated by hypermail 2.3.1 : Friday, 14 September 2018 13:20:16 UTC