Would it be possible to meet the security goals without assuming that the
response body is part of the package? See [1] for background on why that's
beneficial.. at least for performance side of the story. I'm picturing a
package description where each resource has a SRI token, plus a signature
to authenticate the tree of resources / package description itself?

[1] http://lists.w3.org/Archives/Public/public-web-perf/2015Jan/0008.html

On Fri, Jan 30, 2015 at 9:27 AM, Devdatta Akhawe <dev.akh...@gmail.com>
wrote:

> > Maybe the code from the downloaded package has to be run from a local
> origin like chrome://*.
>
> Doesn't the same issue that Chris raised still exist? You need a unit
> of isolation that says "only code signed with this public key runs in
> this isolation compartment". Chrome extensions have that model.
> Whether we achieve this via origins, COWLs, or origin+key as the
> identifier, is a separate question, but Chris' high level bit remains true.
>
> cheers
> dev
>
>

Reply via email to