Allowing pages to verify Ed25519 signatures before executing script seems like a nicely-deployable variant of SRI (also, it annoys @sleevi_)https://twitter.com/intenttoship/status/895222060649152513 …
-
-
I am *so* excited about this.
1 reply 0 retweets 1 like -
Replying to @durumcrustulum @mikewest
Why? (Legitimate question, as I don't think the use cases are that reasonable :P)
2 replies 0 retweets 1 like -
I think I probably agree with most of your objections. However, isn't it effectively just compression for SRI, reducing # of hashes in page?
2 replies 0 retweets 1 like -
Replying to @BRIAN_____ @sleevi_ and
Not compression exactly; it just makes SRI easier to deploy by making it easier to deal w/ subresource changes, right? No new capability.
1 reply 0 retweets 1 like -
Easier at first, but harder to maintain / bigger footgun (as captured on list). Feels sort of like 5 year TLS certs. "Nice" but bad...
1 reply 0 retweets 3 likes -
IDK. Sigs seem like “just” detached (out of band) digests here. People have always misunderstood SRI to be more than it is, even w/o this.
2 replies 0 retweets 2 likes -
It's about operational overhead more than it is about added capability. Detaching creates new opportunities for destructive laziness.
1 reply 0 retweets 1 like -
Well, we could try it and see. Seems unlikely to become worse than HPKP. The experiment can always be canceled.
1 reply 0 retweets 2 likes
Reminds me of that genius that warned everybody that redaction in CT was terrible & unnecessary & too complex to implement. Ended up OK.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.