- From: Mike West <notifications@github.com>
- Date: Tue, 14 Oct 2025 03:44:23 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/1867@github.com>
Signature-based Integrity [1] relies on user agents properly handling `Unencoded-Digest` headers [2] which deliver a server's assertions about the integrity of a given response's body.
This patch extracts the relevant algorithms from [1], spelling out the processing model for the header, and verifying response integrity at the end of Main Fetch, alongside SRI's existing check.
This is one step of the Signature-based Integrity upstreaming work detailed in [3].
[1]: https://wicg.github.io/signature-based-sri/
[2]: https://httpwg.org/http-extensions/draft-ietf-httpbis-unencoded-digest.html
[3]: https://github.com/WICG/signature-based-sri/issues/49.
- [X] At least two implementers are interested (and none opposed):
* Chromium [shipped support](https://chromestatus.com/feature/5032324620877824) for this functionality in M141.
* WebKit expressed support in https://github.com/WebKit/standards-positions/issues/434
* Mozilla's opinions have been solicited in https://github.com/mozilla/standards-positions/issues/1139
- [X] [Tests](https://github.com/web-platform-tests/wpt) are written and can be reviewed and commented upon at:
* https://wpt.fyi/results/subresource-integrity/unencoded-digest/tentative?label=experimental&label=master&aligned
- [ ] [Implementation bugs](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) are filed:
* Chromium: …
* Gecko: …
* WebKit: …
* Deno (not for CORS changes): …
- [ ] [MDN issue](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) is filed: …
- [X] The top of this comment includes a [clear commit message](https://github.com/whatwg/meta/blob/main/COMMITTING.md) to use.
(See [WHATWG Working Mode: Changes](https://whatwg.org/working-mode#changes) for more details.)
<!--
This comment and the below content is programmatically generated.
You may add a comma-separated list of anchors you'd like a
direct link to below (e.g. #idl-serializers, #idl-sequence):
Don't remove this comment or modify anything below this line.
If you don't want a preview generated for this pull request,
just replace the whole of this comment's content by "no preview"
and remove what's below.
-->
***
<a href="https://whatpr.org/fetch/1867.html" title="Last updated on Oct 14, 2025, 10:44 AM UTC (1457984)">Preview</a> | <a href="https://whatpr.org/fetch/1867/0e72db8...1457984.html" title="Last updated on Oct 14, 2025, 10:44 AM UTC (1457984)">Diff</a>
You can view, comment on, or merge this pull request online at:
https://github.com/whatwg/fetch/pull/1867
-- Commit Summary --
* Handle `Unencoded-Digest` assertions.
-- File Changes --
M fetch.bs (85)
-- Patch Links --
https://github.com/whatwg/fetch/pull/1867.patch
https://github.com/whatwg/fetch/pull/1867.diff
--
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1867
You are receiving this because you are subscribed to this thread.
Message ID: <whatwg/fetch/pull/1867@github.com>
Received on Tuesday, 14 October 2025 10:44:27 UTC