- From: Daniel Roesler <diafygi@gmail.com>
- Date: Sun, 20 Jul 2014 19:26:40 -0700
- To: public-webappsec@w3.org
Howdy all, I'm trying to figure out how I can validate an included remote javascript file (i.e. subresource) and still allow that file to be updated by the trusted remote party? I know the spec currently just allows you to set a hash of the expected resource. However, when the trusted remote party updates their resource, it breaks the integrity and I have to go and update my site with the new hash (a pain for me). To solve this pain point, would it be possible to use signatures as the method for validating integrity? That way, I could just include the public key for the remote party in the integrity attribute and have the browser check some sort of signature sent with the resource from the remote party. Obviously, this would require some sort of cooperation from the remote party (a Signature header, maybe?), but I would be okay with that since they are trusted. Is there a way to do this in this specification or another specification? Thanks! Daniel
Received on Tuesday, 22 July 2014 09:35:37 UTC