I wrote about this vaguely in a primordial soup a month ago, but I’ve since solidified the ideas in a blog post.
Problem: When NFT’s point to optional metadata stored off-chain there is no on-chain mechanism that a browser/wallet can use to validate that the metadata hasn’t been tampered with.
Solution: In Web 2.0 the W3C standardized Subresource Integrity (SRI) which allows resources in HTML to declare their integrity digests & hashing algorithm so the browser can download the resource, hash it, compare it with the declared integrity digest, and then pass/fail the resource. We can do the same on-chain by providing a simple interface for getIntegrity(tokenId) that returns the SRI-formatted hashing-algorithm + base64-encoded integrity digest.
Caveat: browsers/wallets will have to adopt both checking for the interface and validating off-chain metadata, but this can be a powerful tool against future malicious NFT projects.
Full details here:
Looking for contributors to help us draft an EIP.
Previous topic where I first thought about the idea: SRI-style Integrity Digests for Tokens