- From: Mike West <notifications@github.com>
- Date: Wed, 13 Aug 2025 03:35:32 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 13 August 2025 10:35:36 UTC
mikewest left a comment (w3ctag/design-reviews#1041) I'd invite y'all to take another look at the spec, as I intend to begin breaking it into PRs against SRI for review. https://wicg.github.io/signature-based-sri/#security-substitution describes the set of issues we discussed earlier in the year, along with potential mitigations. For the moment, key segregation is enough for developers who have experimented with the feature, and there hasn't been substantial interest in requiring signed redirects by default. I intend to define a redirect-signing profile, and allow site developers to opt-into it via an option on the integrity declaration, but I think that will be a separate extension to SRI, and I'll open a distinct review for it in the future. Thanks! -- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/1041#issuecomment-3183224965 You are receiving this because you are subscribed to this thread. Message ID: <w3ctag/design-reviews/issues/1041/3183224965@github.com>
Received on Wednesday, 13 August 2025 10:35:36 UTC