Chrome does enforce the matching signature. Browsers without Signed Exchange support will not likely ever get a signed exchange as they do not advertise support for it in the `Accept` request header.

@freeone3000, that's incorrect, in the case of Signed Exchanges. Chrome will verify the document's signature against the publisher's public certificate. This will be `nytimes.com` for example. It is not using Google's certificate for this verification, and Google does not possess the private key required to modify the content and update the signature.

The actual mechanism by which a signed exchange is implemented is prone to man in the middle attacks by removing the Signature field wholesale. You are not requesting info from nytimes.com, you're requesting info from amp.google.com and trusting that the backing data is accurate. There's no need for a certificate to be presented at ALL! Unless it can be determined that such a header should exist, there's no way to verify its absence.

All this means is that any server can choose to present any bytes, even with TLS, as a response to any request. This isn't a novel observation.

If a signed exchange includes a URL, that URL must be signed for the browser to respect the field.

Right, but this means proposing signed exchanges as a solution to AMP's strategies is kind of nonsense, since it's a semantic problem whether a page is acting as a proxy for another, and a technological solution doesn't work here.

Chrome enforces that the signature being served by google is the same signature as the one being served by google. It's a useless verification. If Google were so inclined, they could very well just change the <link> tag too.

I think we are talking about different things here. You, as an AMP engineer are talking about how Chrome implemented this [1], but I'm talking about how Chrome is not a user agent, because it demonstrably acts as Google's agent, not the user's.

[1] Which is unverifiable, we just have to take your word for it.

Isn't chrome open source? Can't you verify it?

Chromium is Open Source, Google Chrome isn't.

The last time I checked, the only closed source parts were some profile sync keys and some media codecs.

Oh well please keep checking for us, since all of us do not have access to Google Chrome source code. Thank you for taking on this responsibility, sure hope you don't get hit by a bus.