|
|
|
|
|
|
by Retr0id
704 days ago
|
|
|
In terms of version-pinning, the next-best idea I can come up with is to deploy your app as an HTML file with a single JS script, using subresource integrity[0] for the script. (The rest of the HTML content would need to be dynamically inserted by said script) The developer can still change the HTML file, but if they change the script it's easy(ish) to observe that the hash has changed. GitHub recently introduced[1] an "artifact attestation" system, which is essentially a way to demonstrate that a particular build was built by a particular source tree (although the precise security properties are more subtle than I've summarized here). Combining these two things and writing a static "load the most recent version and verify its integrity" script could be interesting. [0] https://developer.mozilla.org/en-US/docs/Web/Security/Subres... [1] https://github.blog/2024-05-02-introducing-artifact-attestat... |
|
|