W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2014

RE: SRI, cache validation and ServiceWorkers

From: Hill, Brad <bhill@paypal.com>
Date: Mon, 19 May 2014 12:14:22 +0000
To: Daniel Appelquist <Daniel.Appelquist@telefonica.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
CC: www-tag <www-tag@w3.org>, Alex Russell <slightlyoff@google.com>, "Jake Archibald" <jakearchibald@google.com>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E35DECCF2@DEN-EXDDA-S12.corp.ebay.com>
Folks, just a quick note on venue here.

While WebAppSec is developing the Subresource Integrity document, it's still just a First Public Working Draft.  It's got a ways to go yet before we see even a first experimental implementation. 

Whether and how to apply it to ServiceWorker, when it is ready, is a task for the WebApps WG (public-webapps@w3.org).

WebAppSec can build a mechanism with lots of interesting potential uses, but we can't force anyone else to use it.  I think that this discussion belongs properly homed with WebApps, perhaps cc:ing this list if there are requirements for SRI that come out of it.

Thanks,

Brad Hill

-----Original Message-----
From: Daniel Appelquist [mailto:Daniel.Appelquist@telefonica.com] 
Sent: Monday, May 19, 2014 12:46 PM
To: public-webappsec@w3.org
Cc: www-tag; Alex Russell; Jake Archibald
Subject: Re: SRI, cache validation and ServiceWorkers

Yoav Weiss <yoav@yoav.ws> wrote:
> Anne van Kesteren <annevk@annevk.nl> wrote:
> > And sites that use service workers ought to be using HTTPS anyway.
>
> Why?


+1.

I have a concern about this orthodoxy of always putting service worker apps under TLS.  Since the STRINT workshop, and also in light of the coming move to http/2, Iıve been talking to a lot of web developers about moving to https.  Iıve heard a lot of concerns with this, even from large, established web sites.  Developersı concerns generally fall into the following categories:

1. TLS itself is a pain to administer - the logistics of the certificates, installing them, making sure they remain valid, ensuring they cover all the needed domains, keeping up to date with best practice, etc...
2. https sites require beefier hardware to serve 3. https sites are more difficult to load balance 4. serving over https makes it much more difficult to use third party content (scripts, images, videos, ad networks, whatever) in your webapp

A head of advertising for a major UK web site told me ³moving to https means we will lose money.²

Iım not saying these concerns arenıt addressable in the long term, but I wonder, specifically looking at service worker, and considering that adopting service worker will already mean a big learning curve for web developers, whether enforcing TLS-only for this burgeoning technology is the right approach.

In this light, I think Yoavıs proposal deserves some additional consideration.

Alex, Jake - would be good to hear your opinions on this.

Dan

Apologies for the wordy disclaimer below which is stripped in by my
employer:

This electronic message contains information from Telefonica UK or Telefonica Europe which may be privileged or confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient be aware that any disclosure, copying distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by telephone or email. Switchboard: +44 (0)113 272 2000 Email: feedback@o2.com Telefonica UK Limited 260 Bath Road, Slough, Berkshire SL1 4DX Registered in England and Wales: 1743099. VAT number: GB 778 6037 85 Telefonica Europe plc 260 Bath Road, Slough, Berkshire SL1 4DX Registered in England and Wales: 05310128. VAT number: GB 778 6037 85 Telefonica Digital Limited 260 Bath Road, Slough, Berkshire SL1 4DX Registered in England and Wales: 7884976. VAT number: GB 778 6037 85
Received on Monday, 19 May 2014 12:14:52 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC