Closed
Milestone
Content Integrity PoC
libresilient
relies on fetching content from potentially untrustworthy third parties. It would make
sense to be able to verify content fetched before serving it from the Service Worker to the user.
This would also allow website admins to partially defend from main domain takeover situations, by
rejecting unverified/unverifiable content even if it comes from the main domain.
-
Research and document possible options for implementing integrity checks; options include: Request.integrity
API- other ways of using Subresource Integrity
- JS implementations of hash functions (with focus on speed; example)
-
Consider and implement necessary modifications to data types used by libresilient
for defining and describing content to be fetched -
Implement at least a PoC of content integrity checking