This proposal is about moving to hosted apps with delta updates
In all of these cases, adding support for delta updates potentially adds significant complexity to the signing system because resources are less static and can be dynamically modified inside a cache at runtime. It could be very tricky to not invalidate a signature.
If we were to hash individual resources and enumerate them in a signed manifest as proposed in , then at least when the app (via the manifest) is updated potentially only the resources which have changed would need to be re-downloaded into a Service Worker cache. This is much better than having to download a whole new zip file of the entire app.
Would this be a big enough step forward for a first iteration of this architecture, potentially leaving delta updates for a future iteration when we have a basic signing system in place?