W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

[Integrity] Signature based subresource integrity?

From: Daniel Roesler <diafygi@gmail.com>
Date: Sun, 20 Jul 2014 19:26:40 -0700
Message-ID: <CA+65OsoVNKEgbk-1ejL67WRBz+1L7tFgt889fg5L+wOVezTQcg@mail.gmail.com>
To: public-webappsec@w3.org
Howdy all,

I'm trying to figure out how I can validate an included remote
javascript file (i.e. subresource) and still allow that file to be
updated by the trusted remote party?

I know the spec currently just allows you to set a hash of the
expected resource. However, when the trusted remote party updates
their resource, it breaks the integrity and I have to go and update my
site with the new hash (a pain for me).

To solve this pain point, would it be possible to use signatures as
the method for validating integrity? That way, I could just include
the public key for the remote party in the integrity attribute and
have the browser check some sort of signature sent with the resource
from the remote party.

Obviously, this would require some sort of cooperation from the remote
party (a Signature header, maybe?), but I would be okay with that
since they are trusted.

Is there a way to do this in this specification or another specification?

Received on Tuesday, 22 July 2014 09:35:37 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:39 UTC