- From: Martin Thomson <notifications@github.com>
- Date: Tue, 25 Feb 2025 18:58:11 -0800
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 26 February 2025 02:58:15 UTC
martinthomson left a comment (w3ctag/design-reviews#1041) After discussion with @jyasskin, we concluded that the proposal is headed in a constructive direction, but it is more appropriate for @mikewest to continue to chase down some of the outstanding issues in the design before we get into a review. These issues all trace to the same question: what might be done about the potential for the content substitution from within the set of resources that are signed with the same key. There are a bunch of questions about signing the current URL somehow (which interacts poorly with redirects) or maybe signing a nonce instead (which creates a tighter coupling between linking content and linked content, which might reintroduce the exact for operational problems that this approach is intended to avoid). These seem like a significant-enough set of problems to work through that the ultimate solution might need some significant changes. With that in mind, we're deferring this one and will ask that you come back once things are more mature. Either open a new issue (mentioning this one) or reopen this one, as you best see fit when that happens. -- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/1041#issuecomment-2683769144 You are receiving this because you are subscribed to this thread. Message ID: <w3ctag/design-reviews/issues/1041/2683769144@github.com>
Received on Wednesday, 26 February 2025 02:58:15 UTC