W3C home > Mailing lists > Public > public-review-announce@w3.org > May 2015

Subresource Integrity - review requested

From: Brad Hill <hillbrad@fb.com>
Date: Thu, 7 May 2015 19:30:48 +0000
To: "public-review-announce@w3.org" <public-review-announce@w3.org>
Message-ID: <71512C0F85CD764C8AB1CCDCA2FA4FE807CC7868@PRN-MBX02-3.TheFacebook.com>

The Web Application Security Working Group requests review of the following specification before 2015-05-26:

   Subresource Integrity
The group requests feedback via public-webappsec@w3.org with [SRI] in subject line

This specification defines a mechanism by which user agents may verify that a fetched resource has been delivered without unexpected manipulation.  Specifically, this version uses hashed metadata annotations delivered as a new "integrity" attribute of the <script> and <link> tags.

Level 1 is intended as a "minimum viable" release, targeting what the group believes to be a few high-value use cases with the most manageable requirements, in order to learn how such a mechanism will interact with the large scale architecture of the Web, before proceeding to additional features and scenario targets.

The group has specifically asked for feedback on the following:

Fetch Integration
Privacy and Security Considerations
CORS interactions
Future Considerations regarding broader integration into other HTML elements


Brad Hill
Co-chair, WebAppSec WG
Received on Thursday, 7 May 2015 19:33:15 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 7 May 2015 19:33:16 UTC