Allowing pages to verify Ed25519 signatures before executing script seems like a nicely-deployable variant of SRI (also, it annoys @sleevi_)https://twitter.com/intenttoship/status/895222060649152513 …
-
-
Easier at first, but harder to maintain / bigger footgun (as captured on list). Feels sort of like 5 year TLS certs. "Nice" but bad...
-
IDK. Sigs seem like “just” detached (out of band) digests here. People have always misunderstood SRI to be more than it is, even w/o this.
-
It's about operational overhead more than it is about added capability. Detaching creates new opportunities for destructive laziness.
-
Well, we could try it and see. Seems unlikely to become worse than HPKP. The experiment can always be canceled.
-
Reminds me of that genius that warned everybody that redaction in CT was terrible & unnecessary & too complex to implement. Ended up OK.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
