W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2014

Re: [integrity] What should we hash?

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Wed, 09 Apr 2014 13:18:29 -0400
Message-ID: <534580E5.1020003@mit.edu>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
CC: Mark Nottingham <mnot@mnot.net>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 4/9/14 1:11 PM, Devdatta Akhawe wrote:
> Or just not do a streaming decompress/recompress. If
> content-encoding:gzip is sent but the browser didn't plan on doing a
> decompress already, the browser can just fail.

"Just fail to save the file the user asked you to save" is not exactly 
something I would like to ship.

> If I am not wrong, if I want to download exe, pdf etc and the server
> sends these with a content-encoding:gzip, browsers already do a
> decompress.

Correct.

> The only place where a decompress isn't done is something
> like: file is foor.tar.gz, content-type is application/x-tar and
> content-encoding is gzip.

Yes.  The default Apache config, last I checked.

> Browsers can fail SRI check for such downloads to avoid a streaming decompress/recompress.

See above.  You'd be setting up a situation where the download works 
fine in a browser without SRI but fails in one with.  Which is a general 
problem with SRI, of course...  But the point is that from a user's 
point of view the browser will update and stuff will stop working.  That 
is what we call a Bad User Experience.

> Since this would be easily noticeable during testing

You're assuming people test their stuff on the web.  Some do.  More don't...

-Boris
Received on Wednesday, 9 April 2014 17:19:00 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC