From 6e6abb792db50e51c86b91087ff812afa7703ed5 Mon Sep 17 00:00:00 2001 From: Mike West Date: Mon, 16 Dec 2024 11:33:32 +0100 Subject: [PATCH] Shifting to use the internal response. Rather than safelisting the relevant headers, this patch shifts the spec's algorithms to read them from the internal response, as discussed in [1]. [1]: https://github.com/WICG/signature-based-sri/issues/17#issuecomment-2544900844 --- index.bs | 49 ++++++++++++++----------------------------------- 1 file changed, 14 insertions(+), 35 deletions(-) diff --git a/index.bs b/index.bs index a357f69..a061c19 100644 --- a/index.bs +++ b/index.bs @@ -636,43 +636,22 @@ following steps. They return `valid` if the signature is valid, or `invalid` oth Patches to Fetch {#monkey-patch-fetch} -------------------------------------- -Support for this feature would require twoish changes to [[Fetch]]: - -### Safelist Headers ### {#patch-cors-list} - -First, we extend Fetch's [=CORS-safelisted response-header name=] list to -include the [:Signature:], [:Signature-Input:], and [:Identity-Digest:] headers. -This makes the processing model clear by including these headers along with the -[=CORS filtered response=]. - -ISSUE(#17): We have at least three options: extend the safelist as proposed here, -reach into a [=/response=]'s [=internal response=] when doing validation -below, or require developers to add these headers to each response's -[:Access-Control-Expose-Headers:] header. Extending the safelist is simplest for -developers and clarifying for spec authors. That said, other headers with -similar effect rely on accessing [=internal responses=] (see e.g. CORP checks in -step 5 of [[Fetch#http-fetch]], as well as MIX/CSP/MIME/nosniff in step 19 of -[[Fetch#main-fetch]]). Perhaps that's even more clear and direct? - - -### Patching Main Fetch ### {#patch-main-fetch} - -Next, we'll make two changes to [[Fetch#main-fetch]] to support enforcement of -server-initiated integrity checks through [:Identity-Digest:], [:Signature:], -and [:Signature-Input:], and to pass the right set of information into the version -of [[SRI#does-response-match-metadatalist]] altered by this specification in order -to enable signature-based checks that require information from the request -([=request/integrity metadata=] on the one hand, request headers and properties -for signature components on the other) and the response (integrity headers and -the body): +Support for this feature would require changes to [[Fetch#main-fetch]] to support +enforcement of server-initiated integrity checks through [:Identity-Digest:], +[:Signature:], and [:Signature-Input:], and to pass the right set of information +into the version of [[SRI#does-response-match-metadatalist]] altered by this +specification in order to enable signature-based checks that require information +from the request ([=request/integrity metadata=] on the one hand, request headers +and properties for signature components on the other) and the response (integrity +headers and the body): [[Fetch#main-fetch]] step 22 will be updated as follows:
  1. If |request|'s [=request/integrity metadata=] is not the empty string, - or |response|'s [=response/header list=] [=list/contains=] - [:Identity-Digest:], then: + or internalResponse's [=response/header list=] + [=list/contains=] [:Identity-Digest:], then:
    1. @@ -690,9 +669,9 @@ the body):
    2. Perform server-initiated integrity checks on bytes, - request, and response. If the result - is "`failed`", then run processBodyError and abort - these steps. + request, and internalResponse. + If the result is "`failed`", then run processBodyError and + abort these steps.
    3. @@ -702,7 +681,7 @@ the body): Perform client-initiated integrity checks given request - and response, + and internalResponse, then run processBodyError and abort these steps. [[!SRI]]