#1135: Incubation: Inline Integrity

Visit on Github.

Opened Aug 13, 2025

Explainer

https://mikewest.github.io/inline-integrity/#intro

The explainer

Where and by whom is the work is being done?

  • GitHub repo: https://github.com/mikewest/inline-integrity
  • Primary contacts:
    • Mike West, @mikewest, Google
  • Organization/project driving the design: Chrome
  • This work is being funded by: Google
  • Incubation and standards groups that have discussed the design:
  • Standards group(s) that you expect to discuss and/or adopt this work when it's ready: WebAppSec for SRI patches, WHATWG for HTML patches.

Feedback so far

You should also know that...

This is a counterpart to the subresource-signature proposal y'all reviewed in https://github.com/w3ctag/design-reviews/issues/1041.

It grew out of a discussion starting around https://github.com/WICG/signature-based-sri/issues/10#issuecomment-2591268614, describing developers' use cases that were difficult to handle via SRI as it currently exists.

<!-- Content below this is maintained by @w3c-tag-bot -->

Track conversations at https://tag-github-bot.w3.org/gh/w3ctag/design-reviews/1135

Discussions

Log in to see TAG-private discussions.

Discussed Sep 8, 2025 (See Github)

Ehsan: Will finalise review.

Discussed Sep 29, 2025 (See Github)

Ehsan: Reviewed it, no major issue. Posted by initial draft review. Jeffrey got back to me with feedback. In general, seemed fine with the overall feedback. Will prepare a draft final review.

Discussed Oct 6, 2025 (See Github)

Ehsan: I did a review of this; have two suggestions for the explainer which we have discussed with Jeffrey and the spec writers. Drafted a review and posted with Jeffrey's approval. Need to decide if we have consensus on it. If we do we could close this today. Any questions/concerns?

(none raised)

Lola: Should we ask again in plenary?

Ehsan: my suggestions are basically cosmetic on the explainer; don't have any architectural concens. Happy either way.

Lola: I think you should post your comment - looks good to go based on the discussion so far. The status should be 'validated'.

Comment by @toreini Oct 7, 2025 (See Github)

Dear @mikewest:

The proposal looks interesting. The explainer is aligned with the TAG's recommendations; however, we request to consider updating it with these suggestions:

  • The alternate solutions considered for this incubation is not mentioned in the explainer. Can you please add a section on this structured as Alternative → Pros → Cons → Reason for rejection. That makes the reasoning more transparent to external reviewers.
  • The explainer mainly focuses on the developer's benefits and how this integrity mechanism will fulfil their needs. This is ok; however, the explainer should also elaborate on end-use problem and explicitly mention how the proposal benefits the end-users. This also should be addressed.
Comment by @mikewest Oct 7, 2025 (See Github)

The alternate solutions considered for this incubation is not mentioned in the explainer. Can you please add a section on this structured as Alternative → Pros → Cons → Reason for rejection. That makes the reasoning more transparent to external reviewers.

Skimming through the discussion starting at https://github.com/WICG/signature-based-sri/issues/10#issuecomment-2591268614, I think the only alternatives I seriously considered were different spellings of the attributes. I'm happy to add some thoughts to that end in somewhere.

The explainer mainly focuses on the developer's benefits and how this integrity mechanism will fulfil their needs. This is ok; however, the explainer should also elaborate on end-use problem and explicitly mention how the proposal benefits the end-users. This also should be addressed.

I expect I'll follow the explainer explainer's boilerplate here, and find somewhere reasonable to paste the helpful text it suggests: "This feature is meant to improve website security, which reduces the frequency of breaches that compromise user data.".

Do you think additional justification of user benefit is necessary?

Otherwise, it sounds like y'all are directionally satisfied with this proposal? Or are there some details of the approach and/or spec on which you have feedback?

Comment by @jyasskin Oct 7, 2025 (See Github)

The explainer mainly focuses on the developer's benefits and how this integrity mechanism will fulfil their needs. This is ok; however, the explainer should also elaborate on end-use problem and explicitly mention how the proposal benefits the end-users. This also should be addressed.

I expect I'll follow the explainer explainer's boilerplate here, and find somewhere reasonable to paste the helpful text it suggests: "This feature is meant to improve website security, which reduces the frequency of breaches that compromise user data.".

Do you think additional justification of user benefit is necessary?

I think you have a hint at the user benefit, and it just needs to be inverted to be clear, and that spelling it out would help people understand why this is an important addition. Specifically, you have

"Developers, however, often have reasons (performance, privacy, etc) to avoid asking users' agents to take responsibility for these additional requests."

Those reasons are actually user benefits, so:

"Users experience performance and privacy benefits if the developer can inline some of those requests instead of asking the user's agent to make them directly to the source server."

Focusing on the user benefit here probably doesn't affect the design of this feature, because it's relatively simple, and you're already thinking of the user benefits in doing the design, but we should stay in the habit in case there are details that depend on which user benefits the feature is chasing.

(The "protections against injection attacks" are also a user benefit, but there's not as obvious a way to invert the sentence, so the boilerplate is appropriate for that one.)

(The TAG should remember to be more eager to spell out the likely rephrasing instead of just saying "end-user problem" and expecting explainer authors to DWIM.)

Otherwise, it sounds like y'all are directionally satisfied with this proposal? Or are there some details of the approach and/or spec on which you have feedback?

I'll let the Breakout C folks confirm, but I don't personally have any concerns, and I don't see any in the discussion.

Comment by @mikewest Oct 9, 2025 (See Github)

Incorporated @jyasskin's suggestions via https://github.com/mikewest/inline-integrity/commit/18961b1a2fa35695e5c0b9aeeb7a5da20ce1e37c. Thanks, all!

Discussed Oct 13, 2025 (See Github)

Ehsan: Already validated and posted comment - it's an incubation, so we'll review it later (liked Xiaocheng's way of putting this). Do we wait for anything?

Hadley: Mike West said he's incorporated Jeffrey's comments. What else are we waiting for?

Ehsan: Don't think we're waiting for anything else.

Hadley: What's 'resolution: validated'?

Lola: There are some new resolutions. 'Validated' is for something that's very new, an early, idea, and we think it's good. 'Satisfied' is for more mature things under review.

Ehsan: Should we close it?

Hadley: Sounds like it - if you want to put another comment along the lines of Xiaocheng's about being happy to open a new one later, feel free, if you think it's worranted.

Ehsan: will do.

Discussed Oct 20, 2025 (See Github)

Ehsan: That one is closed and resolved.

Comment by @toreini Oct 22, 2025 (See Github)

Dear @mikewest,

Thanks again for submitting this for review. We will close the issue now. Feel free to open another review request once you incorporated the edits.

Regards, Ehsan