| 08:47 | <freddy> | 0x6a61: most browsers support integrity (hashes, not signatures) via https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity. There were ideas to advance this toward signatures (https://github.com/mikewest/signature-based-sri#the-proposal), but they did not go any further |
| 13:33 | <littledan> | I think that stalled on a sort of perfectionism, that such signatures should be in a separate file to avoid chained updates (a current problem with SRI) |
| 13:33 | <littledan> | the current Chrome-prioritized parallel resource files are around prefetching, so maybe that shows a way |
| 13:33 | <littledan> | I am sure Domenic has thought more about this |
| 13:33 | <littledan> | I was hoping import assertions would meet this use case, but no, due to the chain update issue (that you have to update the hash/signature of recursive dependencies if the hash/signature of their dependency is actually inside of them, as opposed to off to the side) |