{"bundle_type":"pith_open_graph_bundle","bundle_version":"1.0","pith_number":"pith:2018:YQVPZCMLLIQCF7B6VZJ4MGNACE","short_pith_number":"pith:YQVPZCML","canonical_record":{"source":{"id":"1809.05628","kind":"arxiv","version":1},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2018-09-15T01:15:29Z","cross_cats_sorted":["cs.NI"],"title_canon_sha256":"e170b8d4311bdf39e9f6eaea72bf5f0c1162f7d85c1f020a872d2267d424de14","abstract_canon_sha256":"d90071df333c2e161c6c6c7bb28cd8f6c862bf6000707d76d47aefe4e7137062"},"schema_version":"1.0"},"canonical_sha256":"c42afc898b5a2022fc3eae53c619a01129625b9b49b38e622a3a10df774947a3","source":{"kind":"arxiv","id":"1809.05628","version":1},"source_aliases":[{"alias_kind":"arxiv","alias_value":"1809.05628","created_at":"2026-05-18T00:05:40Z"},{"alias_kind":"arxiv_version","alias_value":"1809.05628v1","created_at":"2026-05-18T00:05:40Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.1809.05628","created_at":"2026-05-18T00:05:40Z"},{"alias_kind":"pith_short_12","alias_value":"YQVPZCMLLIQC","created_at":"2026-05-18T12:33:04Z"},{"alias_kind":"pith_short_16","alias_value":"YQVPZCMLLIQCF7B6","created_at":"2026-05-18T12:33:04Z"},{"alias_kind":"pith_short_8","alias_value":"YQVPZCML","created_at":"2026-05-18T12:33:04Z"}],"events":[{"event_type":"record_created","subject_pith_number":"pith:2018:YQVPZCMLLIQCF7B6VZJ4MGNACE","target":"record","payload":{"canonical_record":{"source":{"id":"1809.05628","kind":"arxiv","version":1},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2018-09-15T01:15:29Z","cross_cats_sorted":["cs.NI"],"title_canon_sha256":"e170b8d4311bdf39e9f6eaea72bf5f0c1162f7d85c1f020a872d2267d424de14","abstract_canon_sha256":"d90071df333c2e161c6c6c7bb28cd8f6c862bf6000707d76d47aefe4e7137062"},"schema_version":"1.0"},"canonical_sha256":"c42afc898b5a2022fc3eae53c619a01129625b9b49b38e622a3a10df774947a3","receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-18T00:05:40.429642Z","signature_b64":"3H11USydb3K5OH6A0SQ/hGRU3gegi4VvjXhf8HV1IA2m4PXaMxsuMSuoVehj5ff3t/MXMaH+SQiObh7cciPeBw==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"c42afc898b5a2022fc3eae53c619a01129625b9b49b38e622a3a10df774947a3","last_reissued_at":"2026-05-18T00:05:40.429166Z","signature_status":"signed_v1","first_computed_at":"2026-05-18T00:05:40.429166Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"source_kind":"arxiv","source_id":"1809.05628","source_version":1,"attestation_state":"computed"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-18T00:05:40Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"qAd36s/2NWoNy2okV3xDRhmp/I6NbWTCqxxcvBHfRSY028Mmj4Yrt8wHDfiF6z1EWNPuaOYJ1hxyyNoNVr0hBA==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-06-11T13:35:19.731681Z"},"content_sha256":"8140b7bd837a289f7d23f8190baa77b1c6e6cebd0e7f1a11d1e0213356275c3a","schema_version":"1.0","event_id":"sha256:8140b7bd837a289f7d23f8190baa77b1c6e6cebd0e7f1a11d1e0213356275c3a"},{"event_type":"graph_snapshot","subject_pith_number":"pith:2018:YQVPZCMLLIQCF7B6VZJ4MGNACE","target":"graph","payload":{"graph_snapshot":{"paper":{"title":"On the Integrity of Cross-Origin JavaScripts","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"","cross_cats":["cs.NI"],"primary_cat":"cs.CR","authors_text":"Joonas Salovaara, Jukka Ruohonen, Ville Lepp\\\"anen","submitted_at":"2018-09-15T01:15:29Z","abstract_excerpt":"The same-origin policy is a fundamental part of the Web. Despite the restrictions imposed by the policy, embedding of third-party JavaScript code is allowed and commonly used. Nothing is guaranteed about the integrity of such code. To tackle this deficiency, solutions such as the subresource integrity standard have been recently introduced. Given this background, this paper presents the first empirical study on the temporal integrity of cross-origin JavaScript code. According to the empirical results based on a ten day polling period of over 35 thousand scripts collected from popular websites,"},"claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"1809.05628","kind":"arxiv","version":1},"verdict":{"id":null,"model_set":{},"created_at":null,"strongest_claim":"","one_line_summary":"","pipeline_version":null,"weakest_assumption":"","pith_extraction_headline":""},"references":{"count":0,"sample":[],"resolved_work":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"verdict_id":null},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-18T00:05:40Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"ELcpKv4GuxZy19WoZYBrFpXbnaQ1/r4s9g3bNYqdL8K8gqiqe8A/JUoqJMqn4Is5UcPUBPeTUsOiwCkD9KbSCA==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-06-11T13:35:19.732035Z"},"content_sha256":"2b93ca66a4f9624e0724a2a731abf9450b0cd1e1d7d80b0a7320fd25e0bbdaa0","schema_version":"1.0","event_id":"sha256:2b93ca66a4f9624e0724a2a731abf9450b0cd1e1d7d80b0a7320fd25e0bbdaa0"}],"timestamp_proofs":[],"mirror_hints":[{"mirror_type":"https","name":"Pith Resolver","base_url":"https://pith.science","bundle_url":"https://pith.science/pith/YQVPZCMLLIQCF7B6VZJ4MGNACE/bundle.json","state_url":"https://pith.science/pith/YQVPZCMLLIQCF7B6VZJ4MGNACE/state.json","well_known_bundle_url":"https://pith.science/.well-known/pith/YQVPZCMLLIQCF7B6VZJ4MGNACE/bundle.json","status":"primary"}],"public_keys":[{"key_id":"pith-v1-2026-05","algorithm":"ed25519","format":"raw","public_key_b64":"stVStoiQhXFxp4s2pdzPNoqVNBMojDU/fJ2db5S3CbM=","public_key_hex":"b2d552b68890857171a78b36a5dccf368a953413288c353f7c9d9d6f94b709b3","fingerprint_sha256_b32_first128bits":"RVFV5Z2OI2J3ZUO7ERDEBCYNKS","fingerprint_sha256_hex":"8d4b5ee74e4693bcd1df2446408b0d54","rotates_at":null,"url":"https://pith.science/pith-signing-key.json","notes":"Pith uses this Ed25519 key to sign canonical record SHA-256 digests. Verify with: ed25519_verify(public_key, message=canonical_sha256_bytes, signature=base64decode(signature_b64))."}],"merge_version":"pith-open-graph-merge-v1","built_at":"2026-06-11T13:35:19Z","links":{"resolver":"https://pith.science/pith/YQVPZCMLLIQCF7B6VZJ4MGNACE","bundle":"https://pith.science/pith/YQVPZCMLLIQCF7B6VZJ4MGNACE/bundle.json","state":"https://pith.science/pith/YQVPZCMLLIQCF7B6VZJ4MGNACE/state.json","well_known_bundle":"https://pith.science/.well-known/pith/YQVPZCMLLIQCF7B6VZJ4MGNACE/bundle.json"},"state":{"state_type":"pith_open_graph_state","state_version":"1.0","pith_number":"pith:2018:YQVPZCMLLIQCF7B6VZJ4MGNACE","merge_version":"pith-open-graph-merge-v1","event_count":2,"valid_event_count":2,"invalid_event_count":0,"equivocation_count":0,"current":{"canonical_record":{"metadata":{"abstract_canon_sha256":"d90071df333c2e161c6c6c7bb28cd8f6c862bf6000707d76d47aefe4e7137062","cross_cats_sorted":["cs.NI"],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2018-09-15T01:15:29Z","title_canon_sha256":"e170b8d4311bdf39e9f6eaea72bf5f0c1162f7d85c1f020a872d2267d424de14"},"schema_version":"1.0","source":{"id":"1809.05628","kind":"arxiv","version":1}},"source_aliases":[{"alias_kind":"arxiv","alias_value":"1809.05628","created_at":"2026-05-18T00:05:40Z"},{"alias_kind":"arxiv_version","alias_value":"1809.05628v1","created_at":"2026-05-18T00:05:40Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.1809.05628","created_at":"2026-05-18T00:05:40Z"},{"alias_kind":"pith_short_12","alias_value":"YQVPZCMLLIQC","created_at":"2026-05-18T12:33:04Z"},{"alias_kind":"pith_short_16","alias_value":"YQVPZCMLLIQCF7B6","created_at":"2026-05-18T12:33:04Z"},{"alias_kind":"pith_short_8","alias_value":"YQVPZCML","created_at":"2026-05-18T12:33:04Z"}],"graph_snapshots":[{"event_id":"sha256:2b93ca66a4f9624e0724a2a731abf9450b0cd1e1d7d80b0a7320fd25e0bbdaa0","target":"graph","created_at":"2026-05-18T00:05:40Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"graph_snapshot":{"author_claims":{"count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","strong_count":0},"builder_version":"pith-number-builder-2026-05-17-v1","claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"paper":{"abstract_excerpt":"The same-origin policy is a fundamental part of the Web. Despite the restrictions imposed by the policy, embedding of third-party JavaScript code is allowed and commonly used. Nothing is guaranteed about the integrity of such code. To tackle this deficiency, solutions such as the subresource integrity standard have been recently introduced. Given this background, this paper presents the first empirical study on the temporal integrity of cross-origin JavaScript code. According to the empirical results based on a ten day polling period of over 35 thousand scripts collected from popular websites,","authors_text":"Joonas Salovaara, Jukka Ruohonen, Ville Lepp\\\"anen","cross_cats":["cs.NI"],"headline":"","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2018-09-15T01:15:29Z","title":"On the Integrity of Cross-Origin JavaScripts"},"references":{"count":0,"internal_anchors":0,"resolved_work":0,"sample":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"1809.05628","kind":"arxiv","version":1},"verdict":{"created_at":null,"id":null,"model_set":{},"one_line_summary":"","pipeline_version":null,"pith_extraction_headline":"","strongest_claim":"","weakest_assumption":""}},"verdict_id":null}}],"author_attestations":[],"timestamp_anchors":[],"storage_attestations":[],"citation_signatures":[],"replication_records":[],"corrections":[],"mirror_hints":[],"record_created":{"event_id":"sha256:8140b7bd837a289f7d23f8190baa77b1c6e6cebd0e7f1a11d1e0213356275c3a","target":"record","created_at":"2026-05-18T00:05:40Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"attestation_state":"computed","canonical_record":{"metadata":{"abstract_canon_sha256":"d90071df333c2e161c6c6c7bb28cd8f6c862bf6000707d76d47aefe4e7137062","cross_cats_sorted":["cs.NI"],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2018-09-15T01:15:29Z","title_canon_sha256":"e170b8d4311bdf39e9f6eaea72bf5f0c1162f7d85c1f020a872d2267d424de14"},"schema_version":"1.0","source":{"id":"1809.05628","kind":"arxiv","version":1}},"canonical_sha256":"c42afc898b5a2022fc3eae53c619a01129625b9b49b38e622a3a10df774947a3","receipt":{"algorithm":"ed25519","builder_version":"pith-number-builder-2026-05-17-v1","canonical_sha256":"c42afc898b5a2022fc3eae53c619a01129625b9b49b38e622a3a10df774947a3","first_computed_at":"2026-05-18T00:05:40.429166Z","key_id":"pith-v1-2026-05","kind":"pith_receipt","last_reissued_at":"2026-05-18T00:05:40.429166Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","receipt_version":"0.3","signature_b64":"3H11USydb3K5OH6A0SQ/hGRU3gegi4VvjXhf8HV1IA2m4PXaMxsuMSuoVehj5ff3t/MXMaH+SQiObh7cciPeBw==","signature_status":"signed_v1","signed_at":"2026-05-18T00:05:40.429642Z","signed_message":"canonical_sha256_bytes"},"source_id":"1809.05628","source_kind":"arxiv","source_version":1}}},"equivocations":[],"invalid_events":[],"applied_event_ids":["sha256:8140b7bd837a289f7d23f8190baa77b1c6e6cebd0e7f1a11d1e0213356275c3a","sha256:2b93ca66a4f9624e0724a2a731abf9450b0cd1e1d7d80b0a7320fd25e0bbdaa0"],"state_sha256":"b7e71ea199cc89c91b8f07223a22b6e5036a403132c3fbed0c41561b9daf3b6c"},"bundle_signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"Jdqv43wwJxusCS/Vw1xwrSBMhvvp0j7WyuCsxKyWAXzqYM/aC9Is6qopDyTK/SWHdqDGdvGYb2qO9HYP1TavDg==","signed_message":"bundle_sha256_bytes","signed_at":"2026-06-11T13:35:19.734224Z","bundle_sha256":"0580cd5c1e3bfa0f9240489e29d9e1b198e33238d2ebd29cd8fd3026e0fe848a"}}