W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: [integrity]: latency tradeoffs

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Wed, 15 Jan 2014 19:14:15 -0800
Message-ID: <CAPfop_0Y9_W=C+gyhbBb6E2_scLO+t7FcDEN1v=WX2+SFv0JAA@mail.gmail.com>
To: Michal Zalewski <lcamtuf@coredump.cx>
Cc: Joel Weinberger <jww@chromium.org>, Adam Langley <agl@google.com>, Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
>> My only concern: I am not sure whether we want to make this a
>> requirement for the first version of the spec or make it a requirement
>> in the second version.
>
> The strongest use cases for integrity are for JS, CSS, fonts, and for
> binary downloads. Most of these can't be really rendered speculatively
> as they load; binary blobs are the only exception, I think, but they
> do not benefit hugely from progressive validation.

Exactly. Waiting for version 2 of the spec for progressive
authentication makes sense to me. This allows us to thrash out all
other issues. Version 2 can specify progressive authentication and,
thus, make integrity validation for passive multimedia a lot more
usable.

Interestingly, the current spec's CSP does not have a way to say
"require for JS, CSS, fonts, downloads." Maybe we should change that
given this discussion?


~dev
Received on Thursday, 16 January 2014 03:15:01 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC