- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Wed, 09 Apr 2014 11:32:39 -0400
- To: Devdatta Akhawe <dev.akhawe@gmail.com>
- CC: Mark Nottingham <mnot@mnot.net>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 3/15/14 1:09 AM, Devdatta Akhawe wrote: > 1. UAs must check hash against the representation (which is the > message payload before content codings are applied, > http://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics-26#section-3.1.1.5) > > 2. An exception is the case where the UA will save files to disk with > the content encoding preserved, the developer needs to provide the > hash on the gzip'ed file. This seems reasonable to me... That is, the data that gets hashed is the data the UA will actually manipulate. > The choice seems to be the spec above (or something similar) or what I > believe is the much cleaner option of "Always remove > content-encoding", where we ask developers to do a bit more work. And require tarball downloads in browsers from a server that sent content-encoding:gzip to do a streaming decompress+recompress, right? Again, as a UA developer it seems like a pretty positive property if I hash the bytes I'm already working with... -Boris
Received on Wednesday, 9 April 2014 15:33:09 UTC