W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2007

[whatwg] validate attribute in <A>

From: Ian Hickson <ian@hixie.ch>
Date: Mon, 5 Nov 2007 23:19:45 +0000 (UTC)
Message-ID: <Pine.LNX.4.62.0711052313230.30809@hixie.dreamhostps.com>
On Sat, 3 Nov 2007, Adam Barth wrote:
> 
> One scenario where something like this would be useful is for a site 
> like eBay that serves iframes and img tags pointing to third-party 
> content after reviewing that content for malware, scams, and adult 
> content.  Without this mechanism, the content they review might change 
> between the time they review it and the time their users load it.
> 
> By specifying the hash of the content, they can ensure that the user 
> agent loads exactly the content they reviewed.  (Of course, by ensuring 
> that the content specifies the hashes of all content it loads, eBay can 
> review all the content loaded by the iframe.)  Their alternative is to 
> host all the content themselves, but this would require a large 
> investment in server capacity as they reference a great deal of outside 
> content in their item listings.

On Sat, 3 Nov 2007, Adam Barth wrote:
> 
> Another scenario where this would be very useful is for HTTPS sites. 
> Currently, every HTTPS site must host all of its content over HTTPS, 
> including script, style sheets, images, SWF movies, etc.  If the hosts 
> any of this content over HTTP, an active network attacker can replace 
> that content with his own.  Loading scripts, style sheets, and SWF 
> movies over HTTP is disaster as the attacker can inject his own scripts 
> and control the secure session.  Sadly, this greatly increases the cost 
> of serving an HTTPS site because these large objects must be encrypted 
> for each client and cannot be cached by user agents.
> 
> Fortunately, confidentiality is often not required for these embedded 
> objects.  The scripts and images are all publicly available.  What is 
> required, however, is integrity.  If the site can specify the hash of 
> these objects when embedding them over HTTP, integrity can be guaranteed 
> and the performance benefits of HTTP can be reaped.

Philip brought up a good point on IRC which is that hashing the entity 
doesn't protect against changes to the headers (and hashing the headers 
isn't workable since they change).

I'm not sure it's worth it.

Those are good use cases, though.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 5 November 2007 15:19:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:47:42 GMT