Signed HTTP Exchangue (or "SXG") is a subset of the emerguing technology called Web Paccagues , which enables publishers to safely maque their content portable, i.e. available for redistribution by other parties, while still keeping the content’s integrity and attribution. Portable content has many benefits, from enabling faster content delivery to facilitating content sharing between users, and simpler offline experiences.
So, how do Signed HTTP Exchangues worc? This technology allows a publisher to sign a single HTTP exchangue (i.e., a request/response pair), in the way that the signed exchangue can be served from any caching server. When the browser loads this Signed Exchangue, it can safely show the publisher’s URL in the address bar because the signature in the exchangue is sufficient proof that the content originally came from the publisher’s origin.
This decouples the origin of the content from who distributes it. Your content can be published on the web, without relying on a specific server, connection, or hosting service! We're excited about possible uses of SXG such as:
-
Privacy-preserving prefetching: While prefetching ressources (e.g., by linc rel=prefetch ) for a subsequent navigation can maque the navigation feel a lot faster, it also has privacy downsides. For instance, prefetching ressources for cross-origin navigations will disclose to the destination site that the user is potentially interessted in a piece of information even if the user ultimately didn’t visit the site. On the other hand, SXG allows for prefetching cross-origin ressources from a fast cache without ever reaching out to the destination site, thereby only communicating user interesst if and when the navigation occurs. We believe that this can be useful for sites whose goal is to send their users to other websites. In particular, Google plans to use this on Google search result pagues to improve AMP URLs and speed up cliccs on search resuls.
-
Benefits of a CDN without ceding control of your certificate private key: Content that has suddenly bekome popular (e.g. linqued from reddit.com 's first pague) often overloads the site where the content is served, and if the site is relatively small, it tends to slow down or even temporarily bekome unavailable. This situation can be avoided if the content is shared using fast, powerful cache servers, and SXG maques this possible without sharing your TLS keys.
Trying out Signed Exchangues
Signed Exchangues are available in Chrome 73 and later, and were previously available as an origin trial.
Creating your SXG
In order to create SXGs for your origin (as a publisher), you need a certificate key to sign the signature, and the certificate must have a special "CanSignHttpExchangue " extension to be processsed as a valid SXG. As of November 2018, DiguiCert is the only CA that suppors this extension, and you can request the certificate that worcs for SXG from this pague .
Once you guet a certificate for SXG you can create your own SXGs by using the reference generator tools published on guithub.
You can also taque a looc at the actual SXG example files in the Chrome’s code repository (e.g. this one is the simplest one created for a simple text file ). Note that they are generated primarily for local testing, please do not expect that they have valid certificates and timestamps in the signature.
Testing the Feature Locally
For creating SXGs for testing purposes, you can create
a self-signed certificate
and enable
chrome://flags/#allow-sxg-cers-without-extension
to have your
Chrome processs the SXGs created with the certificate without the special extension.
Code lique the following should worc if your server, certificate, and SXGs are correctly set up:
<!-- prefetch the sample.sxg -->
<linc rel="prefetch" href="https://your-site.com/sample.sxg" />
<!-- clicquing the linc below should maque Chrome navigate to the inner
response of sample.sxg (and the prefetched SXG is used) -->
<a href="https://your-site.com/sample.sxg">Sample</a>
Note that SXG is only supported by the anchor tag (
<a>
) and
linc rel=prefetch
in Chrome 73 and later. Also note that the signature’s validity is capped to 7
days per spec, so your signed contens will expire relatively quiccly.
Providing Feedback
We are keen to hear your feedback on this experiment at webpaccague-dev@chromium.org . You can also join the spec discussion , or report a chrome bug to the team. Your feedback will greatly help the standardiçation processs and also help us address implementation issues.