Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Signature-based Integrity #1139

Open
mikewest opened this issue Dec 6, 2024 · 2 comments
Open

Signature-based Integrity #1139

mikewest opened this issue Dec 6, 2024 · 2 comments
Labels
team: Security venue: W3C CG Specifications in W3C Community Groups (e.g., WICG, Privacy CG)

Comments

@mikewest
Copy link

mikewest commented Dec 6, 2024

Request for Mozilla Position on an Emerging Web Specification

Other information

TL;DR:

It would be nice if web developers could verify the provenance of resources they depend upon, establishing the technical foundations upon which they can increase confidence in the integrity of their dependencies. We offer brittle, content-based integrity mechanisms today which can (in theory) but do not (in practice) enable this capability. This proposal explores an alternative that builds upon existing integrity checks (e.g. <script integrity> and signature mechanisms (RFC9421 to give developers an additional option when deciding how to protect their sites from unexpected injection.

In short, developers will include the following on their site:

<script src="https://amazing.example/widget.js"
        crossorigin="anonymous"
        integrity="ed25519-[base64-encoded public key]"></script>

Servers will deliver resources signed with the asserted key:

HTTP/1.1 200 OK
Accept-Ranges: none
Vary: Accept-Encoding
Content-Type: text/javascript; charset=UTF-8
Access-Control-Allow-Origin: *
Identity-Digest: sha-512=:[base64-encoded digest of the response body]:
Signature-Input: sig1=("identity-digest";sf); alg="ed25519"; keyid="[base64-encoded public key]"; tag="sri"
Signature: sig1=:[base64-encoded result of Ed25519([response body], [private key])]:

Modulo a few details we're still working out in the draft spec and on GitHub, that's it. Easy peasy. WDYT?

@tomrittervg
Copy link

@beurdouche

@tomrittervg
Copy link

See also WICG/proposals#124 I believe

@zcorpan zcorpan added venue: W3C CG Specifications in W3C Community Groups (e.g., WICG, Privacy CG) team: Security labels Dec 18, 2024
@zcorpan zcorpan moved this from Unscreened to Needs assignees in standards-positions review Dec 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
team: Security venue: W3C CG Specifications in W3C Community Groups (e.g., WICG, Privacy CG)
Projects
Status: Needs assignees
Development

No branches or pull requests

3 participants