LGTM to experiment from M135 to M141 inclusive.
On 2/21/25 11:23 AM, Chromestatus wrote:
Contact emails
mk...@chromium.org
Explainer
https://github.com/WICG/signature-based-sri
Specification
https://wicg.github.io/signature-based-sri
Summary
This feature provides web developers with a mechanism to verify the
provenance of resources they depend upon, creating a technical
foundation for trust in a site's dependencies. In short: servers can
sign responses with a Ed25519 key pair, and web developers can require
the user agent to verify the signature using a specific public key.
This offers a helpful addition to URL-based checks offered by Content
Security Policy on the one hand, and Subresource Integrity's
content-based checks on the other.
Blink component
Blink>SecurityFeature>Subresource Integrity
<https://issues.chromium.org/issues?q=customfield1222907:%22Blink>SecurityFeature>Subresource
Integrity%22>
Search tags
sri </features#tags:sri>, signature </features#tags:signature>,
ed25519 </features#tags:ed25519>, integrity
</features#tags:integrity>, provenance </features#tags:provenance>
TAG review
https://github.com/w3ctag/design-reviews/issues/1041
TAG review status
Pending
Origin Trial documentation link
https://github.com/WICG/signature-based-sri
Risks
Interoperability and Compatibility
None
/Gecko/: No signal
(https://github.com/mozilla/standards-positions/issues/1139)
/WebKit/: No signal
(https://github.com/WebKit/standards-positions/issues/434)
/Web developers/: No signals Shopify (@yoavweiss) has expressed
positive initial impressions, as have folks at Cloudflare and Google.
/Other signals/:
Ergonomics
The hash functions we currently support for SRI generally are not
conducive to streaming responses. This is arguably fine for scripts
and stylesheets (as those are executed atomically, requiring the
entire body), but it cannot work for other resource types (images,
video, etc). It's likely we'll want to extend the set of hash
functions in the future (though we'd do that for SRI, CSP, and this
mechanism in one fell swoop).
Activation
Chromium's implementation of WebCrypto doesn't yet support Ed25519
signing/verification, which means tooling to help developers generate
signatures requires flipping the experimental web platform features
flag. Not the end of the world.
Security
The feature aims to plug a security hole in the platform's status quo
ante: it is impossible to deploy content-based integrity checks for
dynamic resources, and URL-based checks are too broad to provide
meaningful security protections. We continue to require CORS-based
opt-in for integrity checks on responses to ensure that we're not
leaking data unintentionally between origins.
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such
that it has potentially high risk for Android WebView-based applications?
None
Goals for experimentation
Ongoing technical constraints
None.
Debuggability
`Signature` and `Signature-Input` header parsing and validation is
well-covered with DevTools issues. The same cannot (yet!) be said for
`Unencoded-Digest` parsing and enforcement. Working on it!
Will this feature be supported on all six Blink platforms
(Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?
Yes
Is this feature fully tested by web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?
Yes
https://wpt.fyi/results/subresource-integrity/unencoded-digest?label=experimental&label=master&aligned
<https://wpt.fyi/results/subresource-integrity/unencoded-digest?label=experimental&label=master&aligned>
https://wpt.fyi/results/subresource-integrity/signatures?label=experimental&label=master&aligned
<https://wpt.fyi/results/subresource-integrity/signatures?label=experimental&label=master&aligned>
Flag name on about://flags
signature-based-sri
Finch feature name
SignatureBasedIntegrity
Requires code in //chrome?
False
Tracking bug
https://issues.chromium.org/issues/375224898
Estimated milestones
Origin trial desktop first 135
Origin trial desktop last 141
Origin trial Android first 135
Origin trial Android last 141
Origin trial WebView first 135
Origin trial WebView last 141
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5032324620877824?gate=5259773271080960
Links to previous Intent discussions
Intent to Prototype:
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/6753088f.2b0a0220.1432c2.020a.GAE%40google.com
This intent message was generated by Chrome Platform Status
<https://chromestatus.com>.
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to blink-dev+unsubscr...@chromium.org.
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/67b8a89e.2b0a0220.175b17.0a0c.GAE%40google.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/67b8a89e.2b0a0220.175b17.0a0c.GAE%40google.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to blink-dev+unsubscr...@chromium.org.
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/4f13ef34-b636-4885-a682-f6bb166b3dd2%40chromium.org.
