Re: [integrity]: latency tradeoffs

> My only concern: I am not sure whether we want to make this a
> requirement for the first version of the spec or make it a requirement
> in the second version.

The strongest use cases for integrity are for JS, CSS, fonts, and for
binary downloads. Most of these can't be really rendered speculatively
as they load; binary blobs are the only exception, I think, but they
do not benefit hugely from progressive validation.

There are peripheral use cases for "passive" multimedia (images,
video, audio). They are less valuable to attackers, but also depend
heavily on progressive loading. In these use cases, it feels like
progressive validation is pretty much a strict requirement.

There are also use cases for plugin-rendered documents (e.g., PDF),
but I'm not sure if we can make integrity work with plugins very
easily to begin with (?). The last use case would be for HTML in an
<iframe>, but I don't think that would offer any real benefits with
today's ads or gadgets.


Received on Wednesday, 15 January 2014 19:19:25 UTC