Skip to content

Instantly share code, notes, and snippets.

Last active August 29, 2020 14:52
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?

[9:44 AM] dckc:: SRI only works for <script> and . [9:47 AM] dckc:: <script> does seem to work within data: ... so one could construct a data: URI that uses <script> with subresource integrity to securely fetch js (which would in turn supply HTML, CSS, etc.). .. [9:47 AM] dckc:: so yes, that's technically sufficient to do secure content-addressable storage retrieval... [9:47 AM] dckc:: but the UX isn't much better than having people install a browser add-on [9:48 AM] dckc:: now a browser-add-on that would verify web pages based on on-chain info would be straightforward

rchain/RevVault.rho at dev · rchain/rchain

Issues · rchain/rchain

(RNExt-01) - Event processing framework · Issue #13 · rchain/rchip-proposals rchain/rchip-proposals#13

liquid-democracy/Ballot.rho at ocap-review · rchain-community/liquid-democracy

NotaryInspector · dckc/awesome-ocap Wiki

Content-addressable storage - Wikipedia

Subresource Integrity |

Subresource Integrity - Web security | MDN

data: URI Generator

Data URLs - HTTP | MDN

Blocking Top-Level Navigations to data URLs for Firefox 59 - Mozilla Security Blog

Editing sri-test.js

Cross-Origin Read Blocking (CORB) - Chrome Platform Status

alert('SRI test passed')
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment