Basically, he suggests that every script tag have an option attribute called 'hash'. Whenever the browser downloads a script, it computes the hash and caches the script. For any further requests that specify that hash, the browser can used the cached copy instead of downloading a new one. The main benefit here is that everyone can continue hosting their own scripts, yet still take advantage of caching.
Brendan Eich (creator of JS) proposes a different solution:
In your script tags, you would specify both a local version (using the src attribute) and a canonical version (using a 'shared' attribute).
Brendan's concern about the hash solution is the poisoned message attack (http://th.informatik.uni-mannheim.de/People/lucks/HashCollis...). However, I'm not sure that applies here. I believe that you need to be able to generate both documents in order to easily find a collision. Anyone else know if that's true?
http://blog.360.yahoo.com/blog-TBPekxc1dLNy5DOloPfzVvFIVOWMB...
Basically, he suggests that every script tag have an option attribute called 'hash'. Whenever the browser downloads a script, it computes the hash and caches the script. For any further requests that specify that hash, the browser can used the cached copy instead of downloading a new one. The main benefit here is that everyone can continue hosting their own scripts, yet still take advantage of caching.
Brendan Eich (creator of JS) proposes a different solution:
http://weblogs.mozillazine.org/roadmap/archives/2008/04/popu...
In your script tags, you would specify both a local version (using the src attribute) and a canonical version (using a 'shared' attribute).
Brendan's concern about the hash solution is the poisoned message attack (http://th.informatik.uni-mannheim.de/People/lucks/HashCollis...). However, I'm not sure that applies here. I believe that you need to be able to generate both documents in order to easily find a collision. Anyone else know if that's true?