Does the Web need HTML/JS code signing?
As pure HTML/JS web apps begin to encroach on the turf of native applications, they will inevitably face some of the same security problems that native apps once faced. One of these issues is trusted code delivery. This has traditionally been addressed with code signing, yet it is not currently possible to sign an HTML/JS single-page app in the way that an iPhone app or a browser extension can be signed. Do browsers need a new method for HTML/JS code verification? No. Web pages are sandboxed and thus have limited control to the computer and operating system compared to native apps. Yet web page code can certainly be modified to perform malicious actions; XSS is a rampant example. More and more Javascript applications handle information that is of high value to users - passwords, private journals, financial information, etc. Code signing can protect users against an attacker who tampers with the architecture that handles this sensitive information.