- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Wed, 09 Apr 2014 13:18:29 -0400
- To: Devdatta Akhawe <dev.akhawe@gmail.com>
- CC: Mark Nottingham <mnot@mnot.net>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 4/9/14 1:11 PM, Devdatta Akhawe wrote: > Or just not do a streaming decompress/recompress. If > content-encoding:gzip is sent but the browser didn't plan on doing a > decompress already, the browser can just fail. "Just fail to save the file the user asked you to save" is not exactly something I would like to ship. > If I am not wrong, if I want to download exe, pdf etc and the server > sends these with a content-encoding:gzip, browsers already do a > decompress. Correct. > The only place where a decompress isn't done is something > like: file is foor.tar.gz, content-type is application/x-tar and > content-encoding is gzip. Yes. The default Apache config, last I checked. > Browsers can fail SRI check for such downloads to avoid a streaming decompress/recompress. See above. You'd be setting up a situation where the download works fine in a browser without SRI but fails in one with. Which is a general problem with SRI, of course... But the point is that from a user's point of view the browser will update and stuff will stop working. That is what we call a Bad User Experience. > Since this would be easily noticeable during testing You're assuming people test their stuff on the web. Some do. More don't... -Boris
Received on Wednesday, 9 April 2014 17:19:00 UTC