Upstream pieces of this proposal to Fetch, HTML, SRI, and CSP. #49
Description
https://wicg.github.io/signature-based-sri/#monkey-patches defines a variety of monkey patches to other specifications in order to spell out how this functionality works. It seems like a good time to begin upstreaming things:
Fetch
-
SignatureandSignature-Inputenforcement -
Unencoded-Digestenforcement (both the hook at the end of Main Fetch, and processing the header) -
Accept-Signatureappended in HTTP-network-or-cache-fetch
SRI
- The
ed25519-integrityprofile - Parsing
- Matching
- Validation
- All the ancillary bits: security, privacy, and deployment considerations. Threat model. Delta to hashes. Examples, etc.