RE: Subresource Integrity: review requested from Brad Hill on 2015-05-08 (public-privacy@w3.org from April to June 2015)

From: Brad Hill <hillbrad@fb.com>
Date: Fri, 8 May 2015 21:22:45 +0000
To: Joseph Lorenzo Hall <joe@cdt.org>
CC: "public-privacy@w3.org" <public-privacy@w3.org>
Message-ID: <71512C0F85CD764C8AB1CCDCA2FA4FE807CC931C@PRN-MBX02-3.TheFacebook.com>

I can field some questions here, and will join next week's PING call to discuss as well.

-----Original Message-----
From: Joseph Lorenzo Hall [mailto:joe@cdt.org] 
Sent: Friday, May 8, 2015 12:38 PM
To: Brad Hill
Cc: public-privacy@w3.org
Subject: Re: Subresource Integrity: review requested

Hi Brad, are you willing to field some questions or would you rather we send you some batch feedback as a group from PING? best, Joe

On Thu, May 7, 2015 at 5:15 PM, Brad Hill <hillbrad@fb.com> wrote:
> Hello,
>
> The Web Application Security Working Group requests wide review of the following specification.
>
>    Subresource Integrity
>    
> https://urldefense.proofpoint.com/v1/url?u=http://w3c.github.io/webapp

> sec/specs/subresourceintegrity/&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=HU
> 3cThGizwgsko8%2BWBMXZg%3D%3D%0A&m=jdfPSwlUblzXF0D3lLfJIp5xGEboMYtC1c8q
> Z%2FAZMI0%3D%0A&s=5ec8081dff081b4f9623da2aec12975416b380026b5299ec5034
> 6c4407f51c6a
>
> The group requests feedback via public-webappsec@w3.org with [SRI] in subject line, ideally before 2015-05-26.
>
> This specification defines a mechanism by which user agents may verify that a fetched resource has been delivered without unexpected manipulation.  Specifically, this version uses hashed metadata annotations delivered as a new "integrity" attribute of the <script> and <link> tags.
>
> Level 1 is intended as a "minimum viable" release, targeting what the group believes to be a few high-value use cases with the most manageable requirements, in order to learn how such a mechanism will interact with the large scale architecture of the Web, before proceeding to additional features and scenario targets.
>
> The group has specifically asked for feedback on the following:
>
> ============================================
> Fetch Integration
> Privacy and Security Considerations
> CORS interactions
> Future Considerations regarding broader integration into other HTML 
> elements Extensibility ============================================
>
> Sincerely,
>
> Brad Hill
> Co-chair, WebAppSec WG
>



--
Joseph Lorenzo Hall
Chief Technologist
Center for Democracy & Technology
1634 I ST NW STE 1100
Washington DC 20006-4011
(p) 202-407-8825
(f) 202-637-0968
joe@cdt.org
PGP: https://urldefense.proofpoint.com/v1/url?u=https://josephhall.org/gpg-key&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=HU3cThGizwgsko8%2BWBMXZg%3D%3D%0A&m=jdfPSwlUblzXF0D3lLfJIp5xGEboMYtC1c8qZ%2FAZMI0%3D%0A&s=894ae5417752f50dffbb52d89a5bc3ff60d5ced73dbd8088d5033c4e208c7c7a

fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871

Received on Friday, 8 May 2015 21:23:12 UTC