W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2014

Re: [integrity] What should we hash?

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Tue, 22 Apr 2014 22:31:44 -0700
Message-ID: <CAPfop_23g61yjKNXmtoZN5TYhZOYHNrwqM1B6Q4OmHYQqQVyRw@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: Boris Zbarsky <bzbarsky@mit.edu>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi

Based on this discussion (thanks Boris and Mark!), I pushed:
 https://github.com/w3c/webappsec/commit/20e8e973bcea26495d8bd2211f8439085f640196
(http://w3c.github.io/webappsec/specs/subresourceintegrity/#apply-algorithm-to-resource
if you prefer html)

Mark: For, "expressed intent by the user or origin", can you give me
an example how the user/origin does this in case of gzip'ed files? To
me, it seems like a decision purely by the user agent.

For that reason, I used the term "except when user agent intends to
consume the content without content-encoding applied" instead of
"expressed intent ...."  I can add a parenthetical "(because of an
expressed intent by the user or origin)", but I am worried it is
making an already vague line even more vague.


thanks
dev

On 10 April 2014 15:15, Mark Nottingham <mnot@mnot.net> wrote:
>
> On 11 Apr 2014, at 3:56 am, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
>
>> Mark said:
>>> --8<--
>>> The hash is calculated against the representation <http://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics-26#section-3.1.1.5> without any content-codings applied, except when there is an explicit flag that the content is to be consumed with content-encodings (e.g., saving a gzip'd file to disk).
>>> -->8---
>>
>> Oops! Yeah, you are right and you had already clarified this. That was
>> a mistake in my email. Sorry about that. Although, I don't know what
>> you mean by "explicit flag" above. Whats the explicit flag when
>> gzip'ed files are downloaded?
>
> 'explicit flag' may be the wrong phrase -- maybe "expressed intent by the user or origin"?
>
> --
> Mark Nottingham   http://www.mnot.net/
>
>
>
Received on Wednesday, 23 April 2014 05:32:34 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC