@slightlylate @bcrypt @jaffathecake @homakov If SW is signed, then it can do what it wants, including checking signatures on importScripts()
@bcrypt: you need the signed package to be the only bundle you load from
/cc @wanderview @bfrancis @metromoxie @jaffathecake @homakov
-
-
@bcrypt: also signature that's not delivered with the content & HMAC'd is = ( /cc@wanderview@bfrancis@metromoxie@jaffathecake@homakovThanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
@slightlylate That sounds a lot like https://wiki.mozilla.org/FirefoxOS/New_security_model … which is using the packaging-on-the-web package format, but signed. -
@bfrancis: I'm glad y'all are taking that approach! It's exactly why I made sure it as sign-able = ) Head section is extensible.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
& Web Standards TL; Blink API OWNER
Named PWAs w/
DMs open. Tweets my own; press@google.com for official comms.