

Does the Web need HTML/JS code signing? - erastothenes

As pure HTML/JS web apps begin to encroach on the turf of native applications, they will inevitably face some of the same security problems that native apps once faced. One of these issues is trusted code delivery. This has traditionally been addressed with code signing, yet it is not currently possible to sign an HTML/JS single-page app in the way that an iPhone app or a browser extension can be signed. Do browsers need a new method for HTML/JS code verification?
======
TheHydroImpulse
No. Web pages are sandboxed and thus have limited control to the computer and
operating system compared to native apps.

~~~
erastothenes
Yet web page code can certainly be modified to perform malicious actions; XSS
is a rampant example. More and more Javascript applications handle information
that is of high value to users - passwords, private journals, financial
information, etc. Code signing can protect users against an attacker who
tampers with the architecture that handles this sensitive information.

