webappsec-ISSUE-72 (Streaming Integrity): How to apply integrity verification to large / streaming downloads [Subresource Integrity Level 2]

webappsec-ISSUE-72 (Streaming Integrity): How to apply integrity verification to large / streaming downloads [Subresource Integrity Level 2]

http://www.w3.org/2011/webappsec/track/issues/72

Raised by: Devdatta Akhawe
On product: Subresource Integrity Level 2

Subresource integrity is useful, but it leads to blocking until an entire resource is fetched and hashed.  This is OK for JavaScript as it is not incrementally loaded, but severely limits the use of SRI for other types of content like streams or large objects that might be progressively rendered.  

Adam Langley has proposed using an unbalanced Merkle tree to accomplish this:

http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0088.html

But it needs further investigation and specification.

There may be other issues to explore here if applications do not define explicit segmentation at layer 7, e.g.:

http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0102.html

Received on Monday, 17 November 2014 22:45:09 UTC