- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Tue, 11 Mar 2014 09:58:54 -0700
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>, Boris Zbarsky <bzbarsky@mit.edu>, Mark Nottingham <mnot@mnot.net>
Hi One key question for integrity spec is "What should the browser hash?" Boris mentioned this previously http://lists.w3.org/Archives/Public/public-webappsec/2013Dec/0048.html Informally, I am leaning towards hashing content after undoing stuff like gzip, deflate, chunked-encodings etc. Does that sound reasonable? Next, how do we formalize (spec) this? In an ideal world, just saying "undo transfer-encoding" would be enough (i.e., spec would say "hash entity body"). But, common behavior is to apply gzip via Content-Encoding not transfer-encoding. And we want to hash after undoing gzip. (see Boris' email above) Mark: Do you know good specification text for this? After looking at the HTTP RFC, one wording that springs to my mind is: ""After decoding the entity to the media-type referenced by the content-type header" Thanks Dev
Received on Tuesday, 11 March 2014 16:59:41 UTC