- From: James Addison <notifications@github.com>
- Date: Fri, 22 Dec 2023 15:20:31 -0800
- To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 22 December 2023 23:20:37 UTC
> This might be really useful for concerns about a CDN becoming malicious while the legitimate operator still controls the DNS, but doesn't do anything for the "don't trust the operator" use case. Thanks @valpackett - yep, that's exactly the kind of scenario that a DNS webintegrity checksum would be intended to guard against; and correct, the mechanism does not protect against an untrusted operator. (if an application _is_ free-and/or-open-source and reproducibly-buildable, then continuous inspection and confirmation of the published integrity hashes may be possible, but that'd be an independent process. less-transparent sites could continue to offer content integrity) I don't feel knowledgeable enough about either ServiceWorkers or web origins to comment on the `app://` origin suggestion, but to (try to) show some awareness: my understanding is that HTTPS is preferred for ServiceWorkers, so my proposal's attempt to design an approach that is backwards-compatible to HTTP could be out-of-context / off-topic here. -- Reply to this email directly or view it on GitHub: https://github.com/w3c/ServiceWorker/issues/822#issuecomment-1868125660 You are receiving this because you are subscribed to this thread. Message ID: <w3c/ServiceWorker/issues/822/1868125660@github.com>
Received on Friday, 22 December 2023 23:20:37 UTC