But I still like it & until we have packages, in combination w/ things like strict-dynamic, it gives more control over script auth
-
-
Would 'stopgap' sound better than 'stepping stone'? :)
1 reply 0 retweets 0 likes -
Replying to @durumcrustulum @mikewest
I guess my challenge is understanding how the two are related :) Seem very orthogonal problem spaces (1P v 3P, online v offline)
1 reply 0 retweets 1 like -
No idea what packages are you @ talking about
The idea of the signing is to detect and prevent a third party from injecting/modifying js1 reply 0 retweets 0 likes -
TLS does that.
1 reply 0 retweets 0 likes -
TLS does that at the transport layer. It doesn't do that at the application layer.
1 reply 0 retweets 1 like -
That
1 reply 0 retweets 0 likes -
Right. So hostile CDN case where you trust them but don't actually. Trusting trust, turtles, etc
2 replies 0 retweets 2 likes -
But _whose_ turtles? Wouldn’t it be nice if they had some sort of (signed) collar? :)
2 replies 0 retweets 3 likes -
It'd be nice(r) to require the HTML (and headers) for https://briansmith.org/ have a valid sig or else fall back to https://origin.briansmith.org/ .
2 replies 0 retweets 1 like
That would allow one to use a CDN for the most important load (the 1st one that blocks everything) w/o trust, but requres much more infra.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.