Would it be possible to meet the security goals without assuming that the response body is part of the package? See  for background on why that's beneficial.. at least for performance side of the story. I'm picturing a package description where each resource has a SRI token, plus a signature to authenticate the tree of resources / package description itself?
 http://lists.w3.org/Archives/Public/public-web-perf/2015Jan/0008.html On Fri, Jan 30, 2015 at 9:27 AM, Devdatta Akhawe <dev.akh...@gmail.com> wrote: > > Maybe the code from the downloaded package has to be run from a local > origin like chrome://*. > > Doesn't the same issue that Chris raised still exist? You need a unit > of isolation that says "only code signed with this public key runs in > this isolation compartment". Chrome extensions have that model. > Whether we achieve this via origins, COWLs, or origin+key as the > identifier, is a separate question, but Chris' high level bit remains true. > > cheers > dev > >