W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2014

Re: [integrity] What should we hash?

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Wed, 09 Apr 2014 11:32:39 -0400
Message-ID: <53456817.7000308@mit.edu>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
CC: Mark Nottingham <mnot@mnot.net>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 3/15/14 1:09 AM, Devdatta Akhawe wrote:
> 1. UAs must check hash against the representation (which is  the
> message payload before content codings are applied,
> http://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics-26#section-3.1.1.5)
>
> 2. An exception is the case where the UA will save files to disk with
> the content encoding preserved, the developer needs to provide the
> hash on the gzip'ed file.

This seems reasonable to me...  That is, the data that gets hashed is 
the data the UA will actually manipulate.

> The choice seems to be the spec above (or something similar) or what I
> believe is the much cleaner option of "Always remove
> content-encoding", where we ask developers to do a bit more work.

And require tarball downloads in browsers from a server that sent 
content-encoding:gzip to do a streaming decompress+recompress, right?

Again, as a UA developer it seems like a pretty positive property if I 
hash the bytes I'm already working with...

-Boris
Received on Wednesday, 9 April 2014 15:33:09 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC