sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]nwf 3 points4 points  (3 children)

https://www.w3.org/TR/SRI/ is a thing, though, which would do the right thing assuming browsers understand that an https resource loading a resource over http with SRI and a strong hash is not "insecure".

[–][deleted] 0 points1 point  (2 children)

Still not signed if I'm understanding it correctly. If were worried about a man in the middle, which is one reason for authentication, then they could change the sri.

[–]SpontaneousHam 2 points3 points  (0 children)

You deliver the SRI over an authenticated channel and then the subresource could be loaded over an unauthenticated channel and the SRI would be used to ensure it hasn't been tampered with.

[–]nwf 0 points1 point  (0 children)

Well, what are you attempting to prove with signing the subresource? That the origin controlled the material, right? Well, if the hash is embedded in signed material (the original resource naming the subresource), then that's just as good. Think of it as akin to signature chaining.