Implement the Hugo module cleanup from the spec review.
Tasks:
- Use canonical unpadded Base64 consistently for hashes and signatures.
- Bind signatures to serialized origins, not bare hostnames.
- Sign all direct child
meta claims inside signed-section according to the finalized claims contract.
- Add signed attribute coverage for
href, src, alt, and aria-label in canonicalization/signing inputs.
- Keep server-HTML output stable so browser verifiers can validate the original response snapshot.
- Update tests and README examples.
Spec tracking issue: HTMLTrust/htmltrust-spec protocol cleanup after security review.
Implement the Hugo module cleanup from the spec review.
Tasks:
metaclaims insidesigned-sectionaccording to the finalized claims contract.href,src,alt, andaria-labelin canonicalization/signing inputs.Spec tracking issue: HTMLTrust/htmltrust-spec protocol cleanup after security review.