W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

webappsec-ISSUE-72 (Streaming Integrity): How to apply integrity verification to large / streaming downloads [Subresource Integrity Level 2]

From: Web Application Security Working Group Issue Tracker <sysbot+tracker@w3.org>
Date: Mon, 17 Nov 2014 22:45:05 +0000
Message-Id: <E1XqV2f-0000U6-9t@stuart.w3.org>
To: public-webappsec@w3.org
webappsec-ISSUE-72 (Streaming Integrity): How to apply integrity verification to large / streaming downloads [Subresource Integrity Level 2]

http://www.w3.org/2011/webappsec/track/issues/72

Raised by: Devdatta Akhawe
On product: Subresource Integrity Level 2

Subresource integrity is useful, but it leads to blocking until an entire resource is fetched and hashed.  This is OK for JavaScript as it is not incrementally loaded, but severely limits the use of SRI for other types of content like streams or large objects that might be progressively rendered.  

Adam Langley has proposed using an unbalanced Merkle tree to accomplish this:

http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0088.html

But it needs further investigation and specification.

There may be other issues to explore here if applications do not define explicit segmentation at layer 7, e.g.:

http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0102.html
Received on Monday, 17 November 2014 22:45:09 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC