voge...@chromium.org, mk...@chromium.org
Spec
https://github.com/w3c/webappsec-subresource-integrity/blob/master/signature-based-restrictions-explainer.markdownSummary
Extend Subresource Integrity attributes to also recognize (certain forms of) digital signatures.We don't think so. This situation was thankfully anticipated when SRI was specified: SRI is spec'ed so that unknown "digest" prefixes are ignored. Hence, adding a new SRI "digest" type to an existing page should have no effect once the trial runs out (or on older versions of Chrome, or on other browsers that would erroneously get a page with the signature-prefix delivered).
Ongoing technical constraints
None.
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
Yes.
Link to entry on the feature dashboard
https://www.chromestatus.com/feature/5713333428682752
Contact emailsvoge...@chromium.org, mk...@chromium.org
Spec
https://github.com/w3c/webappsec-subresource-integrity/blob/master/signature-based-restrictions-explainer.markdown
Summary
Extend Subresource Integrity attributes to also recognize (certain forms of) digital signatures.Link to "Intent to Implement" blink-dev discussionhttps://groups.google.com/a/chromium.org/d/msg/blink-dev/mm0MvKSS61g/iNfwM8l-BAAJGoals for experimentationThe motivation for the feature is to make Subresource Integrity (SRI) easier to deploy. The goal of the origin trial is to get some sites that do not presently deploy SRI to try out this newer feature, to validate that it would work sufficiently well in practice and that the deployment effort for them is reasonable. Their feedback should determine which changes are needed to work towards a launch.
Experimental timelineThe experiment should be enabled during two milestones. We are targeting M66 + M67.Given that support of this feature potentially requires a lot of work on part of the participating sites, we might want an extension of the experiment duration if participating sites signal they need more time. I'm not sure of the proper process for this. I assume I'll have to ask again on this thread?Any risk when the experiment finishes?We don't think so. This situation was thankfully anticipated when SRI was specified: SRI is spec'ed so that unknown "digest" prefixes are ignored. Hence, adding a new SRI "digest" type to an existing page should have no effect once the trial runs out (or on older versions of Chrome, or on other browsers that would erroneously get a page with the signature-prefix delivered).
Ongoing technical constraints
None.
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
Yes.
Link to entry on the feature dashboard
https://www.chromestatus.com/feature/5713333428682752
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPPoQznFUbwvwh2yS63xotz%2BmjwrG9hXV8OT07SZtWXCvA%40mail.gmail.com.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3Dfs4V2o0Yfc-maQUhDAGKA_0DXnrCKVQxc%2BJHewUinLBQ%40mail.gmail.com.
back in the mists of time, we had the "shttp" scheme for signed resources. https://tools.ietf.org/html/rfc2660 (1999) gives the details.It was totally wiped off the field by HTTPS, to the degree that few people seem to remember it ever existed.Perhaps it's wise to make sure what we propose now solves the problems that killed that one, or at least gives a story of why that one died and this one will survive?
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
Overall I'm supportive of addressing this use-case.I know it's not yet an intent to ship, but I feel this intent would benefit from a few extra things:* Indication of support from other browser vendors. The intent to implement stated support from Mozilla, but it might be better to open an official "request for position" on https://github.com/mozilla/standards-positions/issues. Would also be good to know what other vendors are thinking about it.
* TAG review - If you haven't started that process yet, it might be better to do so sooner rather than later (I had features blocked from shipping because the last-minute TAG review made us realize we need to change them. Not fun)
IMO, these are not blockers, but would be good to kick off.On Mon, Jan 29, 2018 at 12:46 PM 'Daniel Vogelheim' via blink-dev <blin...@chromium.org> wrote:Is there a normative spec explaining what it is that you intend to experiment with? The explainer is great, but it leaves a few questions unanswered, in particular about the implemented delivery mechanism for the signature itself.If such a spec doesn't exist yet, can you make it explicit here which delivery mechanism was implemented?
This all sounds great! :)LGTM1On Thu, Feb 1, 2018 at 9:31 AM Mike West <mk...@chromium.org> wrote:Hi, Yoav!
On Thu, Feb 1, 2018 at 9:18 AM, Yoav Weiss <yo...@yoav.ws> wrote:Overall I'm supportive of addressing this use-case.I know it's not yet an intent to ship, but I feel this intent would benefit from a few extra things:* Indication of support from other browser vendors. The intent to implement stated support from Mozilla, but it might be better to open an official "request for position" on https://github.com/mozilla/standards-positions/issues. Would also be good to know what other vendors are thinking about it.The generally positive feelings we talked about in the intent to implement were explicitly linked, and we got some additional feedback at TPAC last year which was equally encouraging.That said, explicit feedback would be better than random mailing list posts and hallway conversations. I didn't realize Mozilla was accepting requests, and I think we'd be happy to put up an issue. Perhaps we should add that to our process? (+rbyers@)