On 19.11.2014 04:26, Michaela Merz wrote: > First: We need signed script code. We are doing a lot of stuff with > script - we could safely do even more, if we would be able to safely > deliver script that has some kind of a trust model. I am thinking about > signed JAR files - just like we did with java applets not too long ago. > Maybe as an extension to the CSP enviroment .. and a nice frame around > the browser telling the user that the site is providing trusted / signed > code. Signed code could allow more openness, like true full screen, or > simpler ajax downloads.
Well, you can't sign or verify with Subresource Integrity (SRI), but SRI allows you to make sure that it has not been tampered with on the hosting side: <http://www.w3.org/TR/SRI/>