W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2014

[integrity] What should we hash?

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Tue, 11 Mar 2014 09:58:54 -0700
Message-ID: <CAPfop_0KKWy0NOxRKptmBpT1VtOF82Mb4jYRciq00f7OLJh8rg@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>, Boris Zbarsky <bzbarsky@mit.edu>, Mark Nottingham <mnot@mnot.net>
Hi

One key question for integrity spec is "What should the browser hash?"
Boris mentioned this previously
http://lists.w3.org/Archives/Public/public-webappsec/2013Dec/0048.html

Informally, I am leaning towards hashing content after undoing stuff
like gzip, deflate, chunked-encodings etc. Does that sound reasonable?

Next, how do we formalize (spec) this? In an ideal world, just saying
"undo transfer-encoding" would be enough (i.e., spec would say "hash
entity body"). But, common behavior is to apply gzip via
Content-Encoding not transfer-encoding. And we want to hash after
undoing gzip. (see Boris' email above)

Mark: Do you know good specification text for this? After looking at
the HTTP RFC, one wording that springs to my mind is: ""After decoding
the entity to the media-type referenced by the content-type header"

Thanks
Dev
Received on Tuesday, 11 March 2014 16:59:41 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 11 March 2014 16:59:42 UTC