On Thu, Oct 1, 2015, at 01:50 AM, Travis Biehn wrote:
What would be solid is if there were a browser module that did several things: Eliminated JavaScript dynamic calls (eval, new function(), setTimeout, setInterval, so on.) Eliminate 3rd party assets. Allowed web assets to be signed. Allowed sets of web assets to be versioned (and attested to by 3rd parties.)
The combination of signing, versioning and lack of dynamic features paves the way for uninjectable, client-side in browser encryption/decryption. Something AFAIK we cannot do today. Is anyone working on it?
So Nginx has a built-in module "ngx_http_gzip_module" which does the following (if "Accept-Encoding: gzip" was part of the request headers) : - Sees request for "foo.html" - Checks if "foo.html.gz" exists - If so, serves that in place of the "foo.html" - If not, gzips "foo.html" on the fly What would be nice is an Nginx module which did the same type of thing, but for hashing the body: - Sees request for "foo.html" - Checks if "foo.html.sha256" exists - If so, serves "foo.html" along with "Content-Hash: <sha256>" header, taken from contents of "foo.html.sha256" - If not, serves "foo.html" along with "Content-Hash: <sha256>" header, but calculated on the fly This would be a cheap and easy way to get some form of content hashing. Thoughts? Alfie -- Alfie John alfiej@fastmail.fm