W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2014

Re: Call for Consensus: Subresource Integrity to FPWD.

From: Adam Langley <agl@google.com>
Date: Mon, 10 Mar 2014 13:30:35 -0400
Message-ID: <CAL9PXLzLYp_hps91uQE88hd2fOsGnkOAzTdZ609JJtJJQF4K3A@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Devdatta Akhawe <dev.akhawe@gmail.com>, Frederik Braun <fbraun@mozilla.com>, Joel Weinberger <jww@google.com>
On Wed, Mar 5, 2014 at 3:21 AM, Mike West <mkwst@google.com> wrote:
> Hello, lovely webappsecians. Remember that lively discussion we had in
> January? Let's pick that back up again.
>
> This is a call for consensus to accept the following draft of Subresource
> Integrity as a First Public Working Draft:
>
> http://w3c.github.io/webappsec/specs/subresourceintegrity/
>
> Subresource Integrity defines a mechanism by which user agents may verify
> that a fetched resource has been delivered without unexpected manipulation.
> There's still quite a bit of work to be done, but I believe we're in good
> shape for an initial publication. Do you agree?

I think issue 4 is critical.

For issue 7, I would think that metadata could be omitted for
resources from the same origin because that's the source of the
metadata in the first place and so must be trusted.

I think issues 10-12 need to be resolved either by omitting these
elements from the v1 spec, or including a progressive hashing mode.

Additionally, srcset[1] contains some challenges and probably merits
an issue in the draft.

[1] http://www.w3.org/html/wg/drafts/srcset/w3c-srcset/


Cheers

AGL
Received on Monday, 10 March 2014 17:31:23 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC