Suggestions, questions, thoughts on the text

[noncombatant]

“A substantial portion of the content downloaded by web user agents today consists of JavaScript frameworks. There are a relatively few frameworks which are both extremely popular and large in size. Many applications include these frameworks even if they only use a small portion of the functionality they provide.

In consequence, downloading, parsing, just-in-time compiling these frameworks represents a significant amount of the total network, battery and time budget for a modern browser.”

Rewrite for clarity and concision: “A small number of large, popular web application frameworks account for a substantial portion of the network, battery, and time budgets for a modern web user agent (UA). Many applications include these frameworks even if they only use a small portion of the functionality they provide. It would be a great improvement if UAs could pre-cache and pre-compile these libraries a single time, especially for UAs that do double-keyed caching for privacy.”

Question: What is double-keyed hashing? Maybe link to a definition.

Question: But don’t people use a billion variants of jQuery that have only the features they need? And jQuery has a billion versions? So really, even though everyone uses jQuery, nobody uses the same jQuery as anyone else?

—

Suggestion: s/browser/UA/g
Suggestion: s/user agent/UA/g after the 1st instance

—

“Cache-Control header”: Use, or don’t use, the code font consistently for headers.

—

Timing leaks: If everyone really is using the same jQuery, then B can’t really assume that the UA got a copy from A, right? It could just as well have been from C – Z.

—

“sha-256:hash-of-a’s-data”: don’t use curly quotes in code.

Suggestion: Do use them in prose though.

—

“Content-Security-Policy CSP3 allows resources to specify from which origins script may be loaded, as an attack surface reduction.”

When discussing protocols and ceremonies, I find it super important to keep track of who does what when, and in what context. Suggestion for clarity: “To reduce an origin’s attack surface, Content-Security-Policy CSP3 allows origins to specify from which origins the UA may load script to run in the context of the parent frame.” Or “parent document” or whatever else you think is more accurate.

“it would be bad if an attacker could inject the following into the resource:” ➝ “…inject the following code into the parent document:”

<script src="https://scripts.example.com/angular.min.js" integrity="sha-256:..." /> ➝ <script src="https://scripts.example.com/angular.min.js" integrity="sha-256:DEADBEEF0BADCAFE…” /> “And by so doing force example.com to load an old version of the Angular framework that allows bypassing of CSP, if the real https://scripts.example.com origin didn’t actually have a copy of that resource.” ➝ “and by so doing cause the UA to load and execute an old, vulnerable, or otherwise incorrect version of Angular in the context of example.com.” “Similar restrictions might apply for features like Workers or ServiceWorkers which are required to be loaded same-origin as a similar security precaution.” ➝ “A similar risk might apply to features like Workers or ServiceWorkers. (As a security mechanism, UAs require that Workers and ServiceWorkers can only invoke scripts that come from the same origin. Origin laundering could bypass that mechanism.)” — “Luckily, browsers can do magic behind-the-scenes, and performance improvements, so long as they are correct from the perspective of application semantics and security, need not be precisely identical across the population of user agents.” Suggestion for clarity/concision: “As long as they do not violate the application’s semantics (including security), performance improvements need not be uniform across the population of UAs.” However, I’m not sure what that means. :) — “Origin laundering is a bit more difficult to address, but it can be handled with the same strategy that also informs population of the cache, so long as one is aware of the issue in advance.” Question: What strategy is that? — Typo: “alloted” ➝ allotted — Ahh, I see now what double-keying is. Maybe put a “(see below)” in the 1st place you mention it. — “If a resource’s Content-Security-Policy header explicitly lists the hash of an external resource as allowed, that could be interpreted as an authoritative statement that its origin provenance is irrelevant” ➝ “If a resource’s Content-Security-Policy header explicitly lists the hash of an external resource as allowed, the UA could interpret that as an authoritative statement that the resource’s provenance is irrelevant” —

[hillbrad]

Fixed in latest. Thanks!

[noncombatant]

Oh wow, GitHub truncated my report! There was much more stuff. I will file the rest of it in a new bug. Sorry for not noticing the first time around. Thankfully I kept a copy.