Re: Intent to implement: Sub-resource Integrity (SRI)

[James Graham]

On 01/01/15 01:38, Francois Marier wrote:
> On 31/12/14 21:42, Ms2ger wrote:
>> What's the testing story? Do we pass the web-platform tests
>> ()?
> 
> We do, except for one which relies on ambiguity in the spec and is
> currently being discussed [1] in the working group. I will update our
> code as needed once that discussion has concluded.
> 
>> Do we run them in automation? Do we intend to extend
>> the tests to a level where we can be confident about interoperability
>> with other browsers?
> 
> I've got a few mochitests [2] already, but I've got a few more I want to
> add to cover all of the corner cases in the spec.

It looks like those mochitests are only doing things that can be done in
a web-platform-test. So if you are looking to create more tests for the
spec (a goal I very much support), I suggest converting whichever of
those are covered in the existing web-platform-tests first of all.

> In terms of interop with other browsers, I'm thinking of expanding the
> w3c tests and then running those against Chromium to ensure that we've
> made the same assumptions. The Chromium developers responsible for the
> SRI implementation are also involved in the working group.

This sounds great. We have all the tools to make it possible; please ask
me if you need any help.

___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to implement: Sub-resource Integrity (SRI)

[Francois Marier]

On 31/12/14 21:42, Ms2ger wrote:
> What's the testing story? Do we pass the web-platform tests
> ()?

We do, except for one which relies on ambiguity in the spec and is
currently being discussed [1] in the working group. I will update our
code as needed once that discussion has concluded.

> Do we run them in automation? Do we intend to extend
> the tests to a level where we can be confident about interoperability
> with other browsers?

I've got a few mochitests [2] already, but I've got a few more I want to
add to cover all of the corner cases in the spec.

In terms of interop with other browsers, I'm thinking of expanding the
w3c tests and then running those against Chromium to ensure that we've
made the same assumptions. The Chromium developers responsible for the
SRI implementation are also involved in the working group.

If you have any other suggestions to improve our testing, I'd love to
hear them.

Francois

[1] http://lists.w3.org/Archives/Public/public-webappsec/2014Dec/0242.html

[2] https://bugzilla.mozilla.org/attachment.cgi?id=8542512
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to implement: Sub-resource Integrity (SRI)

[Francois Marier]

On 31/12/14 19:09, L. David Baron wrote:
>> Spec: http://www.w3.org/TR/SRI/
> 
> The TR draft of that spec looks a bit out-of-date.  Will you be
> referring to the editor's draft, and tracking the progress in the
> working group, or be in touch with others who are?

Yes, I'm working off of the editor's draft:


https://github.com/w3c/webappsec/blob/master/specs/subresourceintegrity/spec.markdown

I'm also collaborating with Freddy Braun and the other editors to fix
the remaining problems with the spec.

> It looks like perhaps an early-ish draft.  Does the working group
> believe it's stable enough to implement and ship?  Or is the plan to
> implement and hold off on shipping until it's more stable?

At TPAC, the working group decided to keep the stable parts for level 1
and leave the things which aren't ready for a later version. I believe
it's still on track for a last call draft in early 2015.

> (And presumably you're also implementing
> http://tools.ietf.org/html/rfc6920 , but that looks more stable.)

For now, I'm only implementing the parts of that spec that we need for
SRI, but thanks for pointing it out, SRI uses the URI format defined in
that RFC.

Francois

___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to implement: Sub-resource Integrity (SRI)

[Francois Marier]

On 31/12/14 19:00, Johnny Stenback wrote:
> LGTM, what's the status wrt other browsers supporting this?

Chromium has implemented the same subset of the spec as us (which is
roughly what Level 1 is shaping up to be). It has already landed in
Canary, not sure when they plan on pushing it to the release channel.

I haven't heard anything about other browsers.

Francois
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to implement: Sub-resource Integrity (SRI)

[Ms2ger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 12/31/2014 06:40 AM, Francois Marier wrote:
> Summary: Allow web authors to add integrity checks to
> sub-resources.
> 
> Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=992096
> 
> Spec: http://www.w3.org/TR/SRI/

What's the testing story? Do we pass the web-platform tests
()?
Do we run them in automation? Do we intend to extend
the tests to a level where we can be confident about interoperability
with other browsers?

Thanks
Ms2ger
-BEGIN PGP SIGNATURE-

iQEcBAEBAgAGBQJUo7bvAAoJEOXgvIL+s8n263wH/jvKXiWFUdTKEh08xCX5RmrL
zg40EavKlDf7oG5B0jdusUqy3UiWWeR81hmGEW3nYaCCsc6tVwKpdSU7oj/11Sev
/Tncx6bqrUZJlpbC8crcdtyoVaxZEk1RFGE+U2tLGG1D/QPr3Dc08T0CsYqhdFWS
ifd0J36ziDh6nUHFiPsIt7sLdfhuRQefAzI1gtqi9QgwHNuIOotj+IH0zRoWASEX
9U2Oc46F6UQk5h8/Y08+WFiWi/wuPCmn38Az85GBPhiDm2Ewe+L6+tadRu1SULjo
nO63y1z+IvWxyuK+a5tBSXeaUWaMTRPiPRC0dwPyOwfm4S4OdC5mzn/D+xhGZVQ=
=8sup
-END PGP SIGNATURE-
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to implement: Sub-resource Integrity (SRI)

[L. David Baron]

On Wednesday 2014-12-31 18:40 +1300, Francois Marier wrote:
> Summary: Allow web authors to add integrity checks to sub-resources.
> 
> Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=992096
> 
> Spec: http://www.w3.org/TR/SRI/

The TR draft of that spec looks a bit out-of-date.  Will you be
referring to the editor's draft, and tracking the progress in the
working group, or be in touch with others who are?

It looks like perhaps an early-ish draft.  Does the working group
believe it's stable enough to implement and ship?  Or is the plan to
implement and hold off on shipping until it's more stable?

(And presumably you're also implementing
http://tools.ietf.org/html/rfc6920 , but that looks more stable.)

-David

-- 
𝄞   L. David Baron http://dbaron.org/   𝄂
𝄢   Mozilla  https://www.mozilla.org/   𝄂
 Before I built a wall I'd ask to know
 What I was walling in or walling out,
 And to whom I was like to give offense.
   - Robert Frost, Mending Wall (1914)


signature.asc
Description: Digital signature
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to implement: Sub-resource Integrity (SRI)

[Johnny Stenback]

LGTM, what's the status wrt other browsers supporting this?

Thanks,
Johnny

On Tue, Dec 30, 2014 at 9:40 PM, Francois Marier  wrote:
> Summary: Allow web authors to add integrity checks to sub-resources.
>
> Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=992096
>
> Spec: http://www.w3.org/TR/SRI/
>
> Platforms: all
>
> Estimated or target release: Q1 of 2015
>
> Preference behind which this will be implemented:
> security.subResourceIntegrity.enable
>
> Background:
>
> The best way to explain this is through an example. If you have the
> following:
>
> 

Intent to implement: Sub-resource Integrity (SRI)

[Francois Marier]

Summary: Allow web authors to add integrity checks to sub-resources.

Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=992096

Spec: http://www.w3.org/TR/SRI/

Platforms: all

Estimated or target release: Q1 of 2015

Preference behind which this will be implemented:
security.subResourceIntegrity.enable

Background:

The best way to explain this is through an example. If you have the
following: