2023-01-13
[13:45:37.0553] <0x6a61>
Hi, bit of an off topic question: I have a feature request (use of code signing for javascript) but I'm not sure where to place this request. It probably needs to be discussed within W3C? Has anyone an idea where to place feature requests like this (browser features)?


2023-01-15
[00:19:37.0307] <ljharb>
> <@0x6a61:matrix.org> Hi, bit of an off topic question: I have a feature request (use of code signing for javascript) but I'm not sure where to place this request. It probably needs to be discussed within W3C? Has anyone an idea where to place feature requests like this (browser features)?

can you elaborate? If it operates on files, it wouldn’t be part of the language, so probably whatwg and/or node


2023-01-19
[00:47:55.0398] <freddy>
0x6a61: most browsers support _integrity_ (hashes, not signatures) via https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity. There were ideas to advance this toward signatures (https://github.com/mikewest/signature-based-sri#the-proposal), but they did not go any further

[05:33:32.0699] <littledan>
I think that stalled on a sort of perfectionism, that such signatures should be in a separate file to avoid chained updates (a current problem with SRI)

[05:33:33.0338] <littledan>
the current Chrome-prioritized parallel resource files are around prefetching, so maybe that shows a way

[05:33:33.0690] <littledan>
I am sure Domenic has thought more about this

[05:33:55.0943] <littledan>
I was hoping import assertions would meet this use case, but no, due to the chain update issue (that you have to update the hash/signature of recursive dependencies if the hash/signature of their dependency is actually inside of them, as opposed to off to the side)