Call for Consensus on new WebAppSec WG Charter from Hill, Brad on 2012-11-29 (public-webappsec@w3.org from November 2012) (original) (raw)

To facilitate our internal review regarding the proposed "Sub-Resource Integrity" deliverable, where can I find some additional information (beyond the few sentences in the Draft charter) about this spec, f.ex. a Draft spec, related work, etc.?

-Thanks, AB

I've been trying to avoid prejudicing the discussion thus far, especially before we have made any patent commitments, but my personal notes on the idea were the following. Please take this as a hand-wavey hypothetical only indicative of my own speculations. I hope that some of the groups that have been experimentally implementing these ideas will submit their work. The charter language is the definitive scope for the WG's actual deliverable, which might differ considerably from this sketch.

-Brad

Somewhat similar to http://www.gerv.net/security/link-fingerprints/ but primarily for subresource loads, rather than just content-disposition: attachment to protect downloaded files.

Use cases:

1. Resource with cache-friendly alternate, fall back to secure transport on failure:

1. Resource with only one src, implies hard-fail on digest mismatch: