Ask HN: Why browsers haven't implented code signing web pages yet?

[nibdo]

Over years people have been asking for adding some sort of code signing for web apps, like native apps have.

But still I see no movement in this direction, although now we have plenty web apps focused on security and encryption. And every time someone tell you, that there is risk with trusting downloaded source code from server.

But why at least some browsers (or multiple forks of them) haven't implemented it yet?

This is less problems on desktops, where you can just develop some extension, but on mobiles I guess it's more complicated.

Is there risk that mobile application stores would reject such modification? Or companies/developers just don't see demand for this feature?

I don't have experience developing browsers, but I don't see this technically impossible. You don't even need some central keys repository, as you can add trusted sources manually for each site.

[Juliate]

How much improvement would this provide over web pages transmitted over SSL, practically speaking? (said another way: what’s the practical use case this would help?)

[nibdo]

This is different issue than data transmitted.

For example you have email web app with E2E encryption. With client side E2E encryption you don't need to trust server with your data, but you definitely have to trust client.

But here comes problem, because client is distributed from server you don't want to trust and each page refresh can download new code from server.

You need somehow to check if client is not made malicious by attacker or whoever.

With code signing you can do two things: - check if code was signed by developer and block downloading new source if not - or even more (advanced), verify that that signed build you are downloading is actually build, which is published somewhere and can be audited.

[neximo64]

Isn't that just CSP & using the hashes for files