- From: Eduardo Robles Elvira <edulix@agoravoting.com>
- Date: Tue, 11 Mar 2014 15:23:30 +0100
- To: whatwg@lists.whatwg.org
Hello: I propose that external resources can be hashed. Before you jump on me, I know that this has been proposed in the past [1] but I think it's that time of the year to propose it again. My concrete use-case is simple: I want to be able to use CDNs for common javascript and CSS files, but I don't want to have to trust their server administrators. That's why I'd like to be able to do something like this: <script type="text/javascript" src="//netdna.bootstrapcdn.com/js/bootstrap-3.0.1.min.js" digest="sha256://9a6a18e1719c987e5bc937abe"> </script> <link rel="stylesheet" digest="sha256://9a6a18e1719c987e5bc937abe" href="//somecdn.com/themes/base-1.2.1.css" type="text/css" media="all" /> That's the only way I'd trust i.e. Google as a CDN, for example. Note, these are files that should not change. In a post-Snowden era, I think it's really important to improve the security of the web. CDNs provide an useful service, but I don't want to have to trust them. Yes, I want the cake, and eat it too. Of course, this is just one use-case, there are others. This could be applied also to <a> and maybe other tags too. And maybe this is not the best layer to apply the checksum: another way could be to do this in the URIs themselves [2], but I think that's more tricky.. But if you think that's way it should be done, then so be it. The bottom line for me is: I don't know at what level to apply the fix, but I do think we need a solution for this. Unless NSA thinks otherwise, of course :-) Regards, -- [1] http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2012-October/037668.html [2] something like sha512+https://thehash;path/to/file -- Eduardo Robles Elvira, +34 668 824 393, https://agoravoting.com
Received on Tuesday, 11 March 2014 14:30:31 UTC