[whatwg] Checksum for external resources

[Eduardo Robles Elvira]

Hello:

I propose that external resources can be hashed. Before you jump on me,
I know that this has been proposed in the past [1] but I think it's that
time of the year to propose it again.

My concrete use-case is simple: I want to be able to use CDNs for common
javascript and CSS files, but I don't want to have to trust their server
administrators. That's why I'd like to be able to do something like this:

<script
  type="text/javascript"
  src="//netdna.bootstrapcdn.com/js/bootstrap-3.0.1.min.js"
  digest="sha256://9a6a18e1719c987e5bc937abe">
</script>

<link
  rel="stylesheet"
  digest="sha256://9a6a18e1719c987e5bc937abe"
  href="//somecdn.com/themes/base-1.2.1.css"
  type="text/css"
  media="all" />

That's the only way I'd trust i.e. Google as a CDN, for example. Note,
these are files that should not change.

In a post-Snowden era, I think it's really important to improve the
security of the web. CDNs provide an useful service, but I don't want to
have to trust them. Yes, I want the cake, and eat it too.

Of course, this is just one use-case, there are others. This could be
applied also to <a> and maybe other tags too. And maybe this is not the
best layer to apply the checksum:  another way could be to do this in
the URIs themselves [2], but I think that's more tricky..

But if you think that's way it should be done, then so be it. The bottom
line for me is: I don't know at what level to apply the fix, but I do
think we need a solution for this. Unless NSA thinks otherwise, of
course :-)

Regards,
--
[1]
http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2012-October/037668.html
[2] something like sha512+https://thehash;path/to/file
-- 
Eduardo Robles Elvira, +34 668 824 393, https://agoravoting.com