With the new additions to our client signing API, perhaps it could be built into safeNfs uploads to sign files beforehand and then
webFetch can verify the signed file?
Of course that would only ensure that the file hadn’t been changed or tampered with since the file upload event, which wouldn’t handle a malicious developer signing and uploading.
Just now I was a bit shocked reading about how to manually invoke a click event on a hidden anchor link.
<a href="http://mal.site.com/files?hash=hiqjv93xz1m0jqp18aJm9Hqepbvw8eq5" download id="hiddenAnchor" hidden></a>
The potential of this is worrisome and is just one small example of many that I’m not aware.
This may bring us back to @happybeing’s exploration of SOLID and use of the WebID standard which relies on X.509 certificates. It wouldn’t prevent malicious code but it could be our trust system.
So much more to research.
You’re the best Mark, I’m thankful that you thought to post this issue.