Allowing pages to verify Ed25519 signatures before executing script seems like a nicely-deployable variant of SRI (also, it annoys @sleevi_)https://twitter.com/intenttoship/status/895222060649152513 …
-
-
Not compression exactly; it just makes SRI easier to deploy by making it easier to deal w/ subresource changes, right? No new capability.
-
Easier at first, but harder to maintain / bigger footgun (as captured on list). Feels sort of like 5 year TLS certs. "Nice" but bad...
-
IDK. Sigs seem like “just” detached (out of band) digests here. People have always misunderstood SRI to be more than it is, even w/o this.
-
It's about operational overhead more than it is about added capability. Detaching creates new opportunities for destructive laziness.
-
Well, we could try it and see. Seems unlikely to become worse than HPKP. The experiment can always be canceled.
-
Reminds me of that genius that warned everybody that redaction in CT was terrible & unnecessary & too complex to implement. Ended up OK.
End of conversation
New conversation -
-
-
That seems to be the gist of Mike's reply. Compression and better cachability, at the cost of effective key management (i.e. at great cost)
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
