- From: Adam Langley <agl@google.com>
- Date: Mon, 10 Mar 2014 13:30:35 -0400
- To: Mike West <mkwst@google.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Devdatta Akhawe <dev.akhawe@gmail.com>, Frederik Braun <fbraun@mozilla.com>, Joel Weinberger <jww@google.com>
On Wed, Mar 5, 2014 at 3:21 AM, Mike West <mkwst@google.com> wrote: > Hello, lovely webappsecians. Remember that lively discussion we had in > January? Let's pick that back up again. > > This is a call for consensus to accept the following draft of Subresource > Integrity as a First Public Working Draft: > > http://w3c.github.io/webappsec/specs/subresourceintegrity/ > > Subresource Integrity defines a mechanism by which user agents may verify > that a fetched resource has been delivered without unexpected manipulation. > There's still quite a bit of work to be done, but I believe we're in good > shape for an initial publication. Do you agree? I think issue 4 is critical. For issue 7, I would think that metadata could be omitted for resources from the same origin because that's the source of the metadata in the first place and so must be trusted. I think issues 10-12 need to be resolved either by omitting these elements from the v1 spec, or including a progressive hashing mode. Additionally, srcset[1] contains some challenges and probably merits an issue in the draft. [1] http://www.w3.org/html/wg/drafts/srcset/w3c-srcset/ Cheers AGL
Received on Monday, 10 March 2014 17:31:23 UTC