caddr.org: content addressed origin

build decentralized cross site services with browser apis today

Browser resources such as localStorage, IndexedDB, and WebAuthn follow the "same-origin policy" and are locked to a particular domain. This makes it difficult to create decentralized services that are meant to work across different websites.

With caddr.org, the "origin" is defined by the content of the code that is being run, serving as a credibly neutral platform for building shared resources.

what can you do with caddr.org?

how does caddr.org work?

caddr.org simply returns a page which consists of a script tag with whatever "src" is passed in through the query string, and an "integrity" attribute that corresponds to the base64-encoded version of the subdomain it is loaded from.

for example

https://jyhensccrcfgezcf6f46ea6fxbrc7ul44kzlc2vrx63od64a47jq.caddr.org/?src=https://caddr-origin.github.io/examples/hello-world/demo.js

loads a page that contains

<script
  integrity="sha256-Tg5GyEKIimJkRfF54gPFuGIv0XzisrFqsb+24fuA59M="
  src="https://caddr-origin.github.io/examples/hello-world/demo.js">
</script>

Note that the embedding website is still "responsible" for hosting the contents of the script that is to be loaded— none of the scripts are hosted on caddr.org.

If you examine the source code of an actual page, you'll see that it's slightly different from what is described above. The script tags are generated dynamically in Javascript so that it can fall-back to several potential sources in the case of failure.

security

Ultimately we would like browsers to natively implement resolvers for urls that are in the format of *.caddr.org, similar to existing built-in pages such as about:blank. If you work on a browser, or know anyone who does, help towards native implementations would be much appreciated!

Since October 11, 2023, *.caddr.org has been added to the HSTS Preload List which will force it to be loaded with HTTPS. DNSSEC is also enabled for the domain. Content-Security-Policy is used to enforce the contnets of the page through the headers.

A browser extension has been developed to serve as an additional layer of security that guards against compromises of the caddr.org domain.

We would like to get caddr.org added to the public suffix list, help on putting together a submission would also be appreciated.

The domain has been renewed ahead of time for 10 years, but as a piece of web infrastructure, it might be ideal if stewardship could be transferred to a credible organization.

At some point in the future, it may be possible that vulnerabilities are discovered in SHA-256 that compromise its viability as the basis for a content-addressing scheme. However the only other browser-supported hashing schemes SHA-386 and SHA-512 are not viable alternatives given the maximum length of a subdomain is 63 letters (RFC-1035). This is also what necessitates the current base32 encoding (as regular hexadecimal would require 64 letters).

get started

Below is a simple tool where you can paste in the URL for some script file and it will automatically hash the contents and redirect you to the equivalent content-addressed caddr.org page.

Alternatively, you can manually calculate the subdomain from a local file by running the following shell script.

sha256sum FILENAME.js | awk '{ print $1 }' | xxd -r -p | base32 | sed 's/=//g'

source integrity error

TODO: explanation of content addressed origin integrity error

misc

The name is pronounced "kuh-duh-dur" as traditional in the lisp community for the abbreviation of (car (cdr (cdr x))) which returns the third item in a linked list.