The WebAppSec community requests review of Subresource Integrity
<http://w3c.github.io/webappsec/specs/subresourceintegrity/>, specifically:
[[
Fetch Integration
Privacy and Security Considerations
CORS interactions
Future Considerations regarding broader integration into other HTML elements
Extensibility
]]
If you have any feedback, please send it to public-webappsec @ w3.org
([archive]), using a "[SRI]" Subject: prefix, by May 26.
-Thanks, AB
[archive] <https://lists.w3.org/Archives/Public/public-webappsec/>
-------- Forwarded Message --------
Subject: Subresource Integrity - review requested
Resent-Date: Thu, 07 May 2015 19:33:16 +0000
Resent-From: [email protected]
Date: Thu, 7 May 2015 19:30:48 +0000
From: Brad Hill <[email protected]>
To: [email protected] <[email protected]>
Hello,
The Web Application Security Working Group requests review of the following
specification before 2015-05-26:
Subresource Integrity
http://w3c.github.io/webappsec/specs/subresourceintegrity/
The group requests feedback via [email protected] with [SRI] in subject
line
This specification defines a mechanism by which user agents may verify that a fetched resource has
been delivered without unexpected manipulation. Specifically, this version uses hashed metadata
annotations delivered as a new "integrity" attribute of the <script> and <link>
tags.
Level 1 is intended as a "minimum viable" release, targeting what the group
believes to be a few high-value use cases with the most manageable requirements, in order
to learn how such a mechanism will interact with the large scale architecture of the Web,
before proceeding to additional features and scenario targets.
The group has specifically asked for feedback on the following:
============================================
Fetch Integration
Privacy and Security Considerations
CORS interactions
Future Considerations regarding broader integration into other HTML elements
Extensibility
============================================
Sincerely,
Brad Hill
Co-chair, WebAppSec WG
