[whatwg] Checksum for external resources

Eduardo Robles Elvira edulix at agoravoting.com
Tue Mar 11 07:23:30 PDT 2014


I propose that external resources can be hashed. Before you jump on me,
I know that this has been proposed in the past [1] but I think it's that
time of the year to propose it again.

My concrete use-case is simple: I want to be able to use CDNs for common
javascript and CSS files, but I don't want to have to trust their server
administrators. That's why I'd like to be able to do something like this:


  media="all" />

That's the only way I'd trust i.e. Google as a CDN, for example. Note,
these are files that should not change.

In a post-Snowden era, I think it's really important to improve the
security of the web. CDNs provide an useful service, but I don't want to
have to trust them. Yes, I want the cake, and eat it too.

Of course, this is just one use-case, there are others. This could be
applied also to <a> and maybe other tags too. And maybe this is not the
best layer to apply the checksum:  another way could be to do this in
the URIs themselves [2], but I think that's more tricky..

But if you think that's way it should be done, then so be it. The bottom
line for me is: I don't know at what level to apply the fix, but I do
think we need a solution for this. Unless NSA thinks otherwise, of
course :-)

[2] something like sha512+https://thehash;path/to/file
Eduardo Robles Elvira, +34 668 824 393, https://agoravoting.com

More information about the whatwg mailing list