W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2018

Re: Extending Subresource integrity to more elements (<a>, <img>, etc.)

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Fri, 14 Sep 2018 19:20:29 -0700
Message-ID: <CAPfop_3vQGydF8NhZvLuVMVamA10e2ZgO-vHbCwzwyQKwE_NCQ@mail.gmail.com>
To: Bertil Chapuis <bchapuis@gmail.com>
Cc: public-webappsec@w3.org, Kévin Huguenin <kevin.huguenin@unil.ch>, Igor Bilogrevic <ibilogrevic@google.com>, mkwst@google.com
Hey Bertil

Thanks for your interest! We would love your help.

There is a lot of history here
https://github.com/w3c/webappsec-subresource-integrity/issues/68

The spec work is a bit tricky too given that you need to define the cross
origin tag for anchor etc. But if @annevk is helping, I am confident most
spec issues can be resolved.

Personally, I think the big blocker is browser interest. It's not clear any
browser is interested in supporting these use cases. If they are, that
would significantly increase the momentum here.

Thanks
Dev


On Fri, Sep 14, 2018, 6:22 AM Bertil Chapuis <bchapuis@gmail.com> wrote:

> Hello WebAppSec,
>
> My colleagues and I have been doing some research on the use of
> checksums to improve the security of web downloads (i.e., integrity
> verification of downloaded files). One of the solutions mentioned in
> the paper to improve the usability of checksum-based integrity
> verification is to extend Subresource integrity (SRI) to <a> elements
> (this idea is in the air for quite some time now). Extending it to
> other elements such as <img> would make sense as well. A brief
> explainer is available here:
>
>
> https://github.com/checksum-lab/checksum-lab.github.io/blob/master/README.markdown
>
> We would like to push this idea further and are willing to devote some
> time into that. Note, however, that we have very little knowledge and
> no experience regarding specification writing and W3C processes in
> general. Would a revision (v2) of the SRI spec be the best way to
> proceed? Is anyone willing to mentor us through this process?
>
> Please let us know what you think about the proposal and what the next
> steps on our side would be.
>
> Best regards,
>
> Bertil, Kevin, Igor
>
>
>
Received on Saturday, 15 September 2018 02:19:18 UTC

This archive was generated by hypermail 2.3.1 : Saturday, 15 September 2018 02:19:19 UTC