Intent to Experiment: Signature-based Integrity
Chromestatus
Contact emails
mk...@chromium.orgExplainer
https://github.com/WICG/signature-based-sriSpecification
https://wicg.github.io/signature-based-sriSummary
This feature provides web developers with a mechanism to verify the provenance of resources they depend upon, creating a technical foundation for trust in a site's dependencies. In short: servers can sign responses with a Ed25519 key pair, and web developers can require the user agent to verify the signature using a specific public key. This offers a helpful addition to URL-based checks offered by Content Security Policy on the one hand, and Subresource Integrity's content-based checks on the other.
Blink component
Blink>SecurityFeature>Subresource IntegritySearch tags
sri, signature, ed25519, integrity, provenanceTAG review
https://github.com/w3ctag/design-reviews/issues/1041TAG review status
PendingOrigin Trial documentation link
https://github.com/WICG/signature-based-sriRisks
Interoperability and Compatibility
None
Gecko: No signal (https://github.com/mozilla/standards-positions/issues/1139)
WebKit: No signal (https://github.com/WebKit/standards-positions/issues/434)
Web developers: No signals Shopify (@yoavweiss) has expressed positive initial impressions, as have folks at Cloudflare and Google.
Other signals:
Ergonomics
The hash functions we currently support for SRI generally are not conducive to streaming responses. This is arguably fine for scripts and stylesheets (as those are executed atomically, requiring the entire body), but it cannot work for other resource types (images, video, etc). It's likely we'll want to extend the set of hash functions in the future (though we'd do that for SRI, CSP, and this mechanism in one fell swoop).
Activation
Chromium's implementation of WebCrypto doesn't yet support Ed25519 signing/verification, which means tooling to help developers generate signatures requires flipping the experimental web platform features flag. Not the end of the world.
Security
The feature aims to plug a security hole in the platform's status quo ante: it is impossible to deploy content-based integrity checks for dynamic resources, and URL-based checks are too broad to provide meaningful security protections. We continue to require CORS-based opt-in for integrity checks on responses to ensure that we're not leaking data unintentionally between origins.
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
None
Goals for experimentation
Ongoing technical constraints
None.
Debuggability
`Signature` and `Signature-Input` header parsing and validation is well-covered with DevTools issues. The same cannot (yet!) be said for `Unencoded-Digest` parsing and enforcement. Working on it!
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?
YesIs this feature fully tested by web-platform-tests?
Yeshttps://wpt.fyi/results/subresource-integrity/unencoded-digest?label=experimental&label=master&aligned https://wpt.fyi/results/subresource-integrity/signatures?label=experimental&label=master&aligned
Flag name on about://flags
signature-based-sriFinch feature name
SignatureBasedIntegrityRequires code in //chrome?
FalseTracking bug
https://issues.chromium.org/issues/375224898Estimated milestones
| Origin trial desktop first | 135 |
| Origin trial desktop last | 141 |
| Origin trial Android first | 135 |
| Origin trial Android last | 141 |
| Origin trial WebView first | 135 |
| Origin trial WebView last | 141 |
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5032324620877824?gate=5259773271080960Links to previous Intent discussions
Intent to Prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/6753088f.2b0a0220.1432c2.020a.GAE%40google.com
Mike Taylor
LGTM to experiment from M135 to M141 inclusive.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/67b8a89e.2b0a0220.175b17.0a0c.GAE%40google.com.