Signature-based Integrity

[mikewest]

WebKittens

@annevk @Wilander

Title of the proposal

Signature-based Integrity

URL to the spec

https://wicg.github.io/signature-based-sri/

URL to the spec's repository

https://github.com/WICG/signature-based-sri

TAG Design Review URL

Waiting to get feedback/signal from y'all and our friends at Mozilla

Mozilla standards-positions issue URL

mozilla/standards-positions#1139

WebKit Bugzilla URL

No response

Radar URL

No response

Description

It would be nice if web developers could verify the provenance of resources they depend upon, establishing the technical foundations upon which they can increase confidence in the integrity of their dependencies. We offer brittle, content-based integrity mechanisms today which can (in theory) but do not (in practice) enable this capability. This proposal explores an alternative that builds upon existing integrity checks (e.g. <script integrity> and signature mechanisms (RFC9421 to give developers an additional option when deciding how to protect their sites from unexpected injection.

In short, developers will include the following on their site:

<script src="https://amazing.example/widget.js"
        crossorigin="anonymous"
        integrity="ed25519-[base64-encoded public key]"></script>

Servers will deliver resources signed with the asserted key:

HTTP/1.1 200 OK
Accept-Ranges: none
Vary: Accept-Encoding
Content-Type: text/javascript; charset=UTF-8
Access-Control-Allow-Origin: *
Identity-Digest: sha-512=:[base64-encoded digest of the response body]:
Signature-Input: sig1=("identity-digest";sf); alg="ed25519"; keyid="[base64-encoded public key]"; tag="sri"
Signature: sig1=:[base64-encoded result of Ed25519([response body], [private key])]:

Modulo a few details we're still working out in the draft spec and on GitHub, that's it. Easy peasy. WDYT?