← Back to release summary
Origin-Signed HTTP Exchanges
- Category
- Network / Connectivity
- Type
- New or changed feature
- Status
- Enabled by default (Chrome 73)
- Intent stage
- None
Summary
Allows sites to send HTTP request/response pairs (exchanges) that are authoritative for an origin, even when the server itself is not authoritative for that origin.
This is part of Web Packaging, which will allow people to share web applications peer-to-peer, while offline, with proof that an app comes from its original author.
This also shares some infrastructure with signature-based SRI.
Standards & signals
- Specification: https://wicg.github.io/webpackage/draft-yasskin-http-origin-signed-responses.html
- Firefox: Negative
- Safari: No signal — Maciej Stachowiak: "some of my colleagues from the WebKit team have given more specific security feedback. Some of it has been addressed. And the Security Considerations section is less scary. But even so, I'd say we are pretty uncomfortable with this approach, for similar reasons to Mozilla. We can see some advantages to Google re-serving the whole web from their own servers and getting browsers to present it as if it comes from the origin, but it also seems like a worrisome change to the web security model."
- Web developers: Positive
- Tracking bug: https://crbug.com/803774
Docs: https://github.com/WICG/webpackage/blob/master/explainer.md
View on chromestatus.com