W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2014

Re: Transition Request: Subresource Integrity to FPWD

From: Brad Hill <hillbrad@gmail.com>
Date: Thu, 20 Mar 2014 18:58:44 -0700
Message-ID: <CAEeYn8hrO5K2OMfbhnNKFAbX1a1t3v36t8N0bA8N+ns+hrj8dw@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Wendy Seltzer <wseltzer@w3.org>, "Henry S. Thompson" <ht@inf.ed.ac.uk>, "Hill, Brad" <bhill@paypal.com>, Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Thanks for the history, Dan.  We also have had a good deal of
pre-publication attention from Mark Nottingham, the HTTP 2 chair at IETF
and one of the other formal IETF/W3C liaison people, who has not raised
concerns with the venue.   This is about policies in browsers for including
resources in the DOM, post-retrieval, so it not traditionally in the IETF
wheelhouse.

Apologies about some missing references.  It's a first draft.

With regard to Fetch, the  most active development there is happening at
WHATWG.  We in WebAppSec coordinate with Anne Van Kesteren pretty regularly
on such things as, e.g. adding CSP as parameters to the Fetch algorithms.

Typically we have a history of working out the security specific issues and
shape of things in the venue with the most relevant expertise and charter,
and figuring out the details of integration when it's more clear what it
should do.  I think there will likely be some interactions possible or
necessary here with ServiceWorkers, as well.  But the implementation could
also stand alone, as does CSP, in terms of rules for manipulating  the DOM
after Fetch has completed.  (the exploration of SRI as a means for
content-addressable-storage aside)

The primary purpose of FPWD is to give notice to the community that we have
something ready for review and comment.  It's not by any means a claim that
we are done. We appreciate all feedback to the public list.

-Brad Hill



On Thu, Mar 20, 2014 at 6:34 PM, Daniel Veditz <dveditz@mozilla.com> wrote:

> On 3/20/2014 7:11 AM, Wendy Seltzer wrote:
> > On 03/20/2014 09:32 AM, Henry S. Thompson wrote:
> >> So I'm curious, perhaps even concerned, about the overlap between this
> >> work and the IETF.  Is the WG, or are you personally, regularly in
> >> touch with the right people at the IETF to be sure you're not stepping
> >> on toes over there, with respect to WebAppSec in general, and this
> >> document's proposals in particular?
>
> We once tried to get this concept done in the IETF, in the form of "link
> fingerprints".
> http://www.gerv.net/security/link-fingerprints/
>
> Mozilla even had an experimental implementation
> https://bugzilla.mozilla.org/show_bug.cgi?id=377245
>
> It got shut down in the IETF, with the suggestion that it didn't belong
> in URLs but should rather be done as document metadata in the W3C. The
> concept took a vacation for half a decade but that's where we now are:
> in the W3C at the request of the IETF.
>
> -Dan Veditz
>
>
Received on Friday, 21 March 2014 01:59:13 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC