Would it be possible to meet the security goals without assuming that the response body is part of the package? See [1] for background on why that's beneficial.. at least for performance side of the story. I'm picturing a package description where each resource has a SRI token, plus a signature to authenticate the tree of resources / package description itself?
[1] http://lists.w3.org/Archives/Public/public-web-perf/2015Jan/0008.html On Fri, Jan 30, 2015 at 9:27 AM, Devdatta Akhawe <dev.akh...@gmail.com> wrote: > > Maybe the code from the downloaded package has to be run from a local > origin like chrome://*. > > Doesn't the same issue that Chris raised still exist? You need a unit > of isolation that says "only code signed with this public key runs in > this isolation compartment". Chrome extensions have that model. > Whether we achieve this via origins, COWLs, or origin+key as the > identifier, is a separate question, but Chris' high level bit remains true. > > cheers > dev > >