Intent to Ship: Signature-based Integrity

278 views
Skip to first unread message

Chromestatus

unread,
Aug 13, 2025, 6:37:10 AMAug 13
to blin...@chromium.org, dad...@chromium.org, mk...@chromium.org

Contact emails

mk...@chromium.org

Explainer

https://github.com/WICG/signature-based-sri

Specification

https://wicg.github.io/signature-based-sri

Summary

This feature provides web developers with a mechanism to verify the provenance of resources they depend upon, creating a technical foundation for trust in a site's dependencies. In short: servers can sign responses with a Ed25519 key pair, and web developers can require the user agent to verify the signature using a specific public key. This offers a helpful addition to URL-based checks offered by Content Security Policy on the one hand, and Subresource Integrity's content-based checks on the other.



Blink component

Blink>SecurityFeature>Subresource Integrity

Search tags

sri, signature, ed25519, integrity, provenance

TAG review

https://github.com/w3ctag/design-reviews/issues/1041

TAG review status

Pending

Origin Trial Name

Signature-based SRI

Chromium Trial Name

SignatureBasedIntegrity

Origin Trial documentation link

https://github.com/WICG/signature-based-sri

WebFeature UseCounter name

kSRIPublicKeyAssertion

Risks



Interoperability and Compatibility

None



Gecko: No signal (https://github.com/mozilla/standards-positions/issues/1139)

WebKit: Support (https://github.com/WebKit/standards-positions/issues/434)

Web developers: No signals Shopify (@yoavweiss) has expressed positive initial impressions, as have folks at Cloudflare and Google.

Other signals:

Ergonomics

The hash functions we currently support for SRI generally are not conducive to streaming responses. This is arguably fine for scripts and stylesheets (as those are executed atomically, requiring the entire body), but it cannot work for other resource types (images, video, etc). It's likely we'll want to extend the set of hash functions in the future (though we'd do that for SRI, CSP, and this mechanism in one fell swoop).



Activation

None.



Security

The feature aims to plug a security hole in the platform's status quo ante: it is impossible to deploy content-based integrity checks for dynamic resources, and URL-based checks are too broad to provide meaningful security protections. We continue to require CORS-based opt-in for integrity checks on responses to ensure that we're not leaking data unintentionally between origins.



WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None



Debuggability

`Signature` and `Signature-Input` header parsing and validation is well-covered with DevTools issues. The same is true for `Unencoded-Digest` parsing and enforcement.



Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?

Yes

Is this feature fully tested by web-platform-tests?

Yes

https://wpt.fyi/results/subresource-integrity/unencoded-digest?label=experimental&label=master&aligned https://wpt.fyi/results/subresource-integrity/signatures?label=experimental&label=master&aligned



Flag name on about://flags

signature-based-sri

Finch feature name

SignatureBasedIntegrity

Rollout plan

Will ship enabled for all users

Requires code in //chrome?

False

Tracking bug

https://issues.chromium.org/issues/375224898

Estimated milestones

Shipping on desktop 141
Origin trial desktop first 135
Origin trial desktop last 141
Shipping on Android 141
Origin trial Android first 135
Origin trial Android last 141
Shipping on WebView 141
Origin trial WebView first 135
Origin trial WebView last 141


Anticipated spec changes

Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).

None

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5032324620877824?gate=5079751293927424

Links to previous Intent discussions

Intent to Prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/6753088f.2b0a0220.1432c2.020a.GAE%40google.com
Intent to Experiment: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/67b8a89e.2b0a0220.175b17.0a0c.GAE%40google.com


This intent message was generated by Chrome Platform Status.

Alex Russell

unread,
Aug 13, 2025, 11:14:58 AMAug 13
to blink-dev, Chromestatus, dad...@chromium.org, Mike West
LGTM1, can we get SRI for images next? ;-)

Best,

Alex

Dan Clark

unread,
Aug 18, 2025, 2:44:34 PMAug 18
to blink-dev, sligh...@chromium.org, Chromestatus, dad...@chromium.org, mk...@chromium.org
LGTM2

Yoav Weiss (@Shopify)

unread,
Aug 19, 2025, 8:01:44 AMAug 19
to Dan Clark, blink-dev, sligh...@chromium.org, Chromestatus, dad...@chromium.org, mk...@chromium.org
LGTM3

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/0f48ef05-9d94-4fd1-9009-681bedc9f200n%40chromium.org.
Reply all
Reply to author
Forward
0 new messages