Re: [w3ctag/design-reviews] Review of signature-based resource loading restrictions. (#186)

@triblondon @cynthia I think you all are actually agreeing, but just wanted to add that a CDN could certainly do its job without knowledge of the private key. However, knowing the private key would allow a 'value add' CDN that e.g. also minifies, compresses, assembles, or elsehow prepares resources on behalf of a client. The proposed spec enables either use case.

The uses cases can even be mixed within the page, on a resource-by-resource basis. (E.g., CDN provides and holds the key for certain standard libraries, like the most up-to-date jQuery; while the page owner holds the key for the app logic.)

Basically, the last thing that is meant to legitimately modify the sub-resource data needs to hold the key. The spec has no opinion on who that should be.

That said, the only-page-owner-holds-the-key use case is certainly an important one.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/186#issuecomment-332580126

Received on Wednesday, 27 September 2017 16:33:29 UTC