W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

Re: [SRI] What should we Hash Redux

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 3 Jul 2014 11:12:39 +0200
Message-ID: <CADnb78h6GSMR2mwQ9YX75_fYNx-ppMWwf-6L_RX6B1vyBJtAnA@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Jul 2, 2014 at 11:58 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
> What to others think? Is there any difference between the new Fetch spec and
> what SRI wants to hash? I couldn't see one, but maybe I am wrong.

Per HTTP the payload body is a message body with any content codings removed.

It seems what you want to hash depends a bit on the API. Most APIs on
the platform today, including XMLHttpRequest, expose the payload body.
fetch() exposes the message body (as a stream, though the only methods
available on that stream undo the content codings and give you the
payload body as a result). <a download> is likely not fully defined.
>From what I understood from bz it will depend on what is being
downloaded and what the file extension situation looks like...

Note that progress events also report about the message body (I just
noticed that Fetch is wrong about this as I confused payload and
message once more, my bad).

Received on Thursday, 3 July 2014 09:13:06 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:39 UTC