Google Chrome Adding Support for Signed HTTP Exchanges

The Google Chrome team is working on shipping a Signed HTTP Exchanges (SXG) feature with a future Chrome release allowing the browser to load and navigate signed web documents designed to look as originating from a particular source, regardless of the server they’re loaded from.

Signed HTTP Exchanges work by allowing content publishers to sign HTTP exchanges so that it can be served via any caching server.

This makes it possible for browsers to load that signed resource from any server while still being able to display the original publisher’s URL in the address bar.

Seeing that in this way the origin of the web content is decoupled from the server used to distribute it, web documents will be published on the Internet without having to depend on a specific server, connection, or hosting service after SXG support will be added to web browsers.

As detailed on the SXG origin trial page, “Signed HTTP Exchange (or “SXG”) is a subset of the emerging technology called Web Packages, which enables publishers to safely make their content portable, i.e. available for redistribution by other parties, while still keeping the content’s integrity and attribution.”

According to the AMP Project initiative, Signed Exchanges:

  • Provide a guarantee, using cryptographic signatures, that the content is exactly what the publisher intended to show the user.
  • Allow the browser to treat a document as belonging to the publisher’s Origin. This allows a publisher to use first party cookies to customize content, execute service workers, and measure analytics.
Signed Exchange

At the moment, according to the Origin Trial Feedback, Cloudflare and DigiCert already added support for Signed HTTP Exchanges to their platforms, while Protocol Labs is already running experiments using Signed Exchange on top of the IFPS peer-to-peer hypermedia protocol.

According to Protocol Labs:

Google is championing work on “Web Packaging” to solve MITM (aka “misattribution problem”) of the AMP Project. Signed HTTP Exchanges (SXG) decouple the origin of the content from who distributes it. Content can be published on the web, without relying on a specific server, connection, or hosting service, which is highly relevant for IPFS, as it is perfect for distributing immutable bundles.

Furthermore, Cloudfare’s implementation will “allow AMP caches to serve content under its origin URL, we implemented HTTP signed exchanges, which extend authenticity and integrity to content cached and served on behalf of a publisher.”

Signed HTTP Exchanges Internet-Draft, a working document of the Internet Engineering Task Force (IETF), has also been published on IETF’s website on January 23, with an expiration date of July 27, as part of Chrome team’s ongoing efforts.

Already supported by Opera, considered harmful by Mozilla

The Intent to Ship page states that the SXG feature will be available on all six Blink platforms (i.e., Windows, Mac, Linux, Chrome OS, Android, and Android WebView), and gives access to the spec’s Signed Exchanges format and Loading signed exchanges details.

Furthermore, as described on the SXG entry on the Chrome Platform Status dashboard, the Origin trial for this feature is already ongoing on the Chrome 71 platforms for desktop and Android.

It is worth noting that SXG is already supported by the Opera web browser, still under evaluation by the Microsoft Edge team, while Mozilla Firefox considers it harmful, and the Safari team already expressed its skepticism.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Most Popular

To Top