Change canonisation method from minimsation to something less intrusive

[rugk]

BTW why do you need that at all? Can't you just take the DOM content literally and that's it?

[baryluk]

I fully agree. I understand JS might be slow in crypto so minizing then verifying signature seams easier, but come one, just do a hash of content, and then sign it. No minimizing required.

You need to add a comment at the top of the html file (right after the doctype if exists) that contains the detached PGP signature of the content of the tag after it has been minified with minimized with a specific set of settings.

I was reading. everything before, and it was all nice, until this part. WTF.

It imposes huge burden on development setup, build tools, and is going to break when the page and extensions are using different versions https://github.com/Swaagie/minimize that change output format slightly. Which is very likely to happen.

[rugk]

I understand JS might be slow in crypto

Actually not really with the Web Crypto API, which is natively implemented in browsers and which I think this extension, uses.

[tasn]

As mentioned in the README and in #15 (comment), this is not possible. You can't take the DOM content in a consistent manner across browsers. I don't remember the exact inconsistencies I got, but they were plentiful. I could maybe do some less aggressive, home-made, canonisation. I think the differences were not that crazy and I can probably play this cat-and-mouse game with browsers, I just hope it won't break on browsers I'm not testing on.

I'm leaving this one open, but going to change the title a bit.

[tasn]

From #15:

Okay so there is an issue for filterResponseData in Chromium.

Don't know whether you offer your extension for other browsers, but if this is implemented there, we could drop that requirement.

BTW am I right that on Firefox you don't apply the minimizer then – as the original content should be minimized correctly?

Once it's out in Chromium we can completely drop it, yes.

At the moment it's also done for Firefox because the paged is only signed with one signature. The moment the whole versioning scheme described in #13 and #15 is implemented, we can just have two signatures. Original and minimised so we can also support old browsers (on the signed page side), or to be honest, we can probably just drop old version support at the moment because signed-pages is not yet widely used.

[rugk]

Indeed drop old browser-support. BTW don't know how old the browsers actually are you support, but they have to support SRI, at least.

And here is the issue link, again: https://bugs.chromium.org/p/chromium/issues/detail?id=487422