#1135: Incubation: Inline Integrity
Discussions
Log in to see TAG-private discussions.
Discussed
Sep 8, 2025 (See Github)
Ehsan: Will finalise review.
Discussed
Sep 29, 2025 (See Github)
Ehsan: Reviewed it, no major issue. Posted by initial draft review. Jeffrey got back to me with feedback. In general, seemed fine with the overall feedback. Will prepare a draft final review.
Discussed
Oct 6, 2025 (See Github)
Ehsan: I did a review of this; have two suggestions for the explainer which we have discussed with Jeffrey and the spec writers. Drafted a review and posted with Jeffrey's approval. Need to decide if we have consensus on it. If we do we could close this today. Any questions/concerns?
(none raised)
Lola: Should we ask again in plenary?
Ehsan: my suggestions are basically cosmetic on the explainer; don't have any architectural concens. Happy either way.
Lola: I think you should post your comment - looks good to go based on the discussion so far. The status should be 'validated'.
Comment by @toreini Oct 7, 2025 (See Github)
Dear @mikewest:
The proposal looks interesting. The explainer is aligned with the TAG's recommendations; however, we request to consider updating it with these suggestions:
- The
alternate solutionsconsidered for this incubation is not mentioned in the explainer. Can you please add a section on this structured as Alternative → Pros → Cons → Reason for rejection. That makes the reasoning more transparent to external reviewers. - The explainer mainly focuses on the developer's benefits and how this integrity mechanism will fulfil their needs. This is ok; however, the explainer should also elaborate on
end-use problemand explicitly mention how the proposal benefits the end-users. This also should be addressed.
Comment by @mikewest Oct 7, 2025 (See Github)
The
alternate solutionsconsidered for this incubation is not mentioned in the explainer. Can you please add a section on this structured as Alternative → Pros → Cons → Reason for rejection. That makes the reasoning more transparent to external reviewers.
Skimming through the discussion starting at https://github.com/WICG/signature-based-sri/issues/10#issuecomment-2591268614, I think the only alternatives I seriously considered were different spellings of the attributes. I'm happy to add some thoughts to that end in somewhere.
The explainer mainly focuses on the developer's benefits and how this integrity mechanism will fulfil their needs. This is ok; however, the explainer should also elaborate on
end-use problemand explicitly mention how the proposal benefits the end-users. This also should be addressed.
I expect I'll follow the explainer explainer's boilerplate here, and find somewhere reasonable to paste the helpful text it suggests: "This feature is meant to improve website security, which reduces the frequency of breaches that compromise user data.".
Do you think additional justification of user benefit is necessary?
Otherwise, it sounds like y'all are directionally satisfied with this proposal? Or are there some details of the approach and/or spec on which you have feedback?
Comment by @jyasskin Oct 7, 2025 (See Github)
The explainer mainly focuses on the developer's benefits and how this integrity mechanism will fulfil their needs. This is ok; however, the explainer should also elaborate on
end-use problemand explicitly mention how the proposal benefits the end-users. This also should be addressed.I expect I'll follow the explainer explainer's boilerplate here, and find somewhere reasonable to paste the helpful text it suggests: "This feature is meant to improve website security, which reduces the frequency of breaches that compromise user data.".
Do you think additional justification of user benefit is necessary?
I think you have a hint at the user benefit, and it just needs to be inverted to be clear, and that spelling it out would help people understand why this is an important addition. Specifically, you have
"Developers, however, often have reasons (performance, privacy, etc) to avoid asking users' agents to take responsibility for these additional requests."
Those reasons are actually user benefits, so:
"Users experience performance and privacy benefits if the developer can inline some of those requests instead of asking the user's agent to make them directly to the source server."
Focusing on the user benefit here probably doesn't affect the design of this feature, because it's relatively simple, and you're already thinking of the user benefits in doing the design, but we should stay in the habit in case there are details that depend on which user benefits the feature is chasing.
(The "protections against injection attacks" are also a user benefit, but there's not as obvious a way to invert the sentence, so the boilerplate is appropriate for that one.)
(The TAG should remember to be more eager to spell out the likely rephrasing instead of just saying "end-user problem" and expecting explainer authors to DWIM.)
Otherwise, it sounds like y'all are directionally satisfied with this proposal? Or are there some details of the approach and/or spec on which you have feedback?
I'll let the Breakout C folks confirm, but I don't personally have any concerns, and I don't see any in the discussion.
Comment by @mikewest Oct 9, 2025 (See Github)
Incorporated @jyasskin's suggestions via https://github.com/mikewest/inline-integrity/commit/18961b1a2fa35695e5c0b9aeeb7a5da20ce1e37c. Thanks, all!
OpenedAug 13, 2025
Explainer
https://mikewest.github.io/inline-integrity/#intro
The explainer
Where and by whom is the work is being done?
Feedback so far
You should also know that...
This is a counterpart to the subresource-signature proposal y'all reviewed in https://github.com/w3ctag/design-reviews/issues/1041.
It grew out of a discussion starting around https://github.com/WICG/signature-based-sri/issues/10#issuecomment-2591268614, describing developers' use cases that were difficult to handle via SRI as it currently exists.
<!-- Content below this is maintained by @w3c-tag-bot -->Track conversations at https://tag-github-bot.w3.org/gh/w3ctag/design-reviews/1135