RfC: Subresource Integrity; deadline May 26 from Arthur Barstow on 2015-05-07 (public-webapps@w3.org from April to June 2015)

From: Arthur Barstow <art.barstow@gmail.com>
Date: Thu, 07 May 2015 16:15:24 -0400
To: public-webapps <public-webapps@w3.org>
Message-ID: <554BC7DC.3040308@gmail.com>

The WebAppSec community requests review of Subresource Integrity 
<http://w3c.github.io/webappsec/specs/subresourceintegrity/>, specifically:

[[
Fetch Integration
Privacy and Security Considerations
CORS interactions
Future Considerations regarding broader integration into other HTML elements
Extensibility
]]

If you have any feedback, please send it to public-webappsec @ w3.org 
([archive]), using a "[SRI]" Subject: prefix, by May 26.

-Thanks, AB

[archive] <https://lists.w3.org/Archives/Public/public-webappsec/>

-------- Forwarded Message --------
Subject: 	Subresource Integrity - review requested
Resent-Date: 	Thu, 07 May 2015 19:33:16 +0000
Resent-From: 	public-review-announce@w3.org
Date: 	Thu, 7 May 2015 19:30:48 +0000
From: 	Brad Hill <hillbrad@fb.com>
To: 	public-review-announce@w3.org <public-review-announce@w3.org>



Hello,

The Web Application Security Working Group requests review of the following specification before 2015-05-26:

    Subresource Integrity
    http://w3c.github.io/webappsec/specs/subresourceintegrity/
	
The group requests feedback via public-webappsec@w3.org with [SRI] in subject line

This specification defines a mechanism by which user agents may verify that a fetched resource has been delivered without unexpected manipulation.  Specifically, this version uses hashed metadata annotations delivered as a new "integrity" attribute of the <script> and <link> tags.

Level 1 is intended as a "minimum viable" release, targeting what the group believes to be a few high-value use cases with the most manageable requirements, in order to learn how such a mechanism will interact with the large scale architecture of the Web, before proceeding to additional features and scenario targets.

The group has specifically asked for feedback on the following:

============================================
Fetch Integration
Privacy and Security Considerations
CORS interactions
Future Considerations regarding broader integration into other HTML elements
Extensibility
============================================

Sincerely,

Brad Hill
Co-chair, WebAppSec WG

Received on Thursday, 7 May 2015 20:15:53 UTC