I think that signing-bodies-without-signing-their-names is likely to turn into security vulnerabilities unless everyone tightly controls which keys they use to sign which content.
The simplest example might be:
needsAuth.js:
function needsAuth() { return true; }
noAuth.js:
function needsAuth() { return false; }
If an origin server is "foolish" enough to sign both of those with the same key, a malicious CDN could swap them in for each other, removing authentication from pages that should insist on it.
I'm pretty sure clever security researchers will be able to construct other attacks by replacing other more benign-looking Javascript files with each other. However, if the origin server signs the name (URL and maybe request headers) of each resource with its content, then the malicious CDN loses that axis of freedom and can't run this kind of attack.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4