In #12 (comment) @jyasskin said:

The idea came up of providing a browser API to parse C2PA data. That's probably not useful: the server can provide a JS library to do the same thing, and it can write whatever it wants to the page's UI. However, I could imagine extending the w3c/webappsec-subresource-integrity#133 and https://github.com/WICG/signature-based-sri proposals to look at embedded signatures. Then images on, say, the BBC's site, which weren't signed by the BBC's key, could fail to load instead of showing unauthorized content. @chrisn, would that be attractive?