W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2014

Re: [integrity] What should we hash?

From: Mark Nottingham <mnot@mnot.net>
Date: Thu, 10 Apr 2014 09:47:56 +1000
Cc: Boris Zbarsky <bzbarsky@mit.edu>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-Id: <DB4A7870-4ED9-45F7-9E32-9E6BE8B64832@mnot.net>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
That language isn’t quite right; as I think / hope I said before, ‘representation’ encompasses content-codings. I think you need something more like this:

The hash is calculated against the representation <http://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics-26#section-> without any content-codings applied, except when there is an explicit flag that the content is to be consumed with content-encodings (e.g., saving a gzip’d file to disk). 


On 10 Apr 2014, at 3:39 am, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:

> Sites do that sort of thing all the time.  _All_ the time...
> hahahaha.. ok. I bow to your far more extensive experience with all this :)
> I am going to wait a few days in case anyone else wants to chime in, else I will modify the spec to say what you are pushing for. See previous email if you want to see the text again http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0047.html
> thanks
> dev

Mark Nottingham   http://www.mnot.net/
Received on Wednesday, 9 April 2014 23:48:25 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:38 UTC