Introduction

Some security sensitive applications include compromise of their application server in the threat model. For example, end-to-end encryption is designed to protect the user against the developer's infrastructure being compromised or coerced into revealing the contents of messages in transit. Transport Layer Security (TLS) and Subresource Integrity (SRI) do not provide protection against this scenario because they only prevent resources from being tampered with in transit or when hosted on third-party servers. The web's usual transport model simply doesn't allow the developer to prove that the code they delivered to a particular client hasn't been tampered with.

We propose standardizing a way of building applications using web technologies that will be able to make these kinds of integrity and authenticity assertions. They are tentatively called Isolated Web Apps (IWAs). Rather than fetching resources on-demand over HTTPS, they are packaged into Web Bundles, signed by their developer, and verified by a trusted third party. This makes distributing updates (legitimate or otherwise) significantly more difficult and isn't a trade-off we expect most sites to accept.

Read the complete Explainer.

Feedback

I welcome feedback in this thread, but encourage you to file bugs against the Explainer.