@mikewest thanks for this, it's very interesting. Speaking as a CDN person, I'm anticipating that CDNs will want to provide this as a service to their customers, ie the customer shares their private key with us and we add the signature into the `<script>` tags, and add the Integrity header to the appropriate asset responses (or in the case of serving just the script asset, eg cdnjs, do just that half)
Anticipating that this might inspire a SHARINGPRIVATEKEYSWHATTHEHELL freakout, note that CDNs already terminate TLS on behalf of their customers, and also sometimes will validate their customers' user-authentication tokens as well. It seems not unreasonable to anticipate that they might naturally do this too.
This also prompted the thought that any middlebox that can see the content in the clear (eg a corporate proxy which has a root cert trusted by its employees machines) and is able to intercept both the page request and the asset request could modify both to ensure a valid match on the client.
We think this basically wraps up our TAG feedback, would like to express our undying adulation for your glorious specification abilities and thank you for flying TAG. Please come again.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/186#issuecomment-332445970