URL Integrity

Author: Michael Vorburger.ch
Status: In public review, feedback welcome!

Abstract

In order to guarantee the integrity of web (HTML, JS, CSS, etc.) resources fetched by HTTP, we propose a “convention” to add an ?integrity= URL query parameter. This is then used to verify its value as a Message Authentication Code (MAC) against the byte stream of the resource.

Description

The value of the ?integrity= URL query parameter is a Multiformats’ Multibase encoded Multihash.

The verification happens after having (fully) fetched a resource by HTTP, but before consumers use it.

This can be done by an HTTP client, or post-processor, such as:

• CLI downloading tool
• Servers-side library used to fetch remote content by HTTP
• Web Browser Extension / Plug-In
• Web Browser HTTP stack natively
• Client-side JavaScript? While a Client-side JavaScript library loaded over HTTP by an HTML page could check the integrity of additional resources it loads, there is a “chicken and egg” problem - because you cannot trust that the first load wasn’t already tampered with. Therefore, the other approaches must be used.

Implementations

This is currently implemented as described by the Enola.dev fetch CLI command; see announcement.

Alternatives

HTTPS should also guarantee the integrity between web server and browser. But it has a different “trust model” than this approach, relying on trustworthy certificate authorities, and there are some known challenges with that.

IPFS also solves this, differently again. As far as the author understands, the integrity guarantee only really holds when installing and using local Nodes, and browser extensions which redirect /ipfs/ HTTP requests to them, but cannot be enforced when using remote IPFS HTTP Gateways, which you then implicitly must trust again.

It’s of course also possible to “manually” do the equivalent by using sha256sum-like CLI commands, but such explicit steps have much lower usability than something directly integrated into clients.

#TODO

1. Explore hacking a browser extension which validates integrity= on page load
2. Write a HTML post-processor (like KISSfp was!) which adds it to all a/href on local files of a static site
3. Consider if using integrity could cause confusion e.g. with HTML SRI, as syntax is different?
4. Consider risk of “clashes” with other query parameters so named

References

• HTTP Signatures: Internet Draft, from the W3C Credentials Community Group
• HTML’s Subresource Integrity (SRI) script integrity: See Mozilla, Spec, w3schools
• Bazel’s http_archive rule integrity and sha256 attributes
• Trusty URIs (also on GitHub)
• Peergos’ Secret Links