|
|
|
|
|
|
by littlestymaar
1096 days ago
|
|
|
> I suspect they want a browser feature to show fingerprints of the HTML and of subresources possibly to pin a certificate for a given domain. You can do pretty much all you want in a ServiceWorker today[1], but I'll advise against pinning certificates, because you'd just be re-marking HPKP again, with the same gigantic footgun. > A browser setting to only load subresources with integrity checks would also help A “browser setting”? What's the point if the user need to set it up themselves to be secure? Some kind of linting tool on CI in order to be sure you never include a resource without SRI would be nice though, but it's not really the responsibility of the browser here. [1]: you can see an example of that here: https://arxiv.org/pdf/2105.05551.pdf (Note that I've just DuckduckGo-ed a quick example, I haven't read this particular paper and can't say if their scheme is particularly good, but that'd give you an idea). |
|
|