Skip to content

Supporting WAICT Manifest in Integrity-Policy #158

New issue
New issue
Open
Open
Supporting WAICT Manifest in Integrity-Policy#158
Labels
waict
@ezzak

Description

@ezzak
ezzak
opened on Oct 29, 2025

WAICT introduces a concept of a Manifest Bundle that include a list of resource hashes permitted to run on the page, in what follows we present how we can enable the use of a manifest bundle using Integrity-Policy:

Integrity-Policy: blocked-destinations=(script), source=(<manifest_bundle_uri>)

We’re proposing a new supported value for the source attribute that points to the manifest bundle, a JSON structure defined below that will also hold a set of hashes SRI can check against (along with other information necessary for WAICT). Execution will be blocked if a matching hash is not found in the example above.

Tentative Manifest Bundle Format:

{
  "root_hash": "4813494d137e1631bba301d5acab6e7bb7aa74ce1185d456565ef51d737677b2",
  "bt-inclusion-proof": "1029u1239u12039u1u23",
  // Below value is covered by the bt and when hashed gives the root hash
  "manifest": {
    "version": 1, // format of the manifest
    "integrity-policy": "blocked-destinations=(script), checked-destinations=(wasm)",
    "bt-server": "www.mybt.com/com.whatsapp.www ",
    "hashes": {
      "/assets/x.html": "ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb",
      "/assets/main.js": "fb8e20fc2e4c3f248c60c39bd652f3c1347298bb977b8b4d5903b85055620603",
      "": [
        "3431742b9dbff1751bba9ba47483ed62ae7fdf42d560a480a282af38b6c8de0a"
      ],
    },
    "metadata": "arbitrary data... "
  },
  "transparency": {
    "important transparency stuff here"
  },
}

Notes:

  • The Manifest bundle will contain other metadata, some of which would be used for the transparency portions of WAICT.
  • If there is a conflict between the HTTP Header Integrity Policy and what is in the manifest, the Manifest’s value takes precedence. This value is necessarily present in the manifest for accountability purposes in the transparency log. Ideally the values should be the same, and the browser should surface as an issue while still enforcing what is specified in the Manifest bundle.
    • For example, if the header sets the policy with report mode while the manifest bundle sets the policy with enforce mode. The browser should start out by using report mode until it reaches the point where the manifest bundle is parsed where it will start enforcing.

Metadata

Metadata

Assignees

No one assigned

    Labels

    waict

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions