W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

Re: [SRI] What should we Hash Redux

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Thu, 3 Jul 2014 09:37:48 -0700
Message-ID: <CAPfop_0WjG=GYq-QCz3SJ=1=q5Uj9naHbC-siDBeC58P1dA_OA@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi Anne

> Per HTTP the payload body is a message body with any content codings removed.
>

See mnot's note:
http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0026.html

Payload removes gzip transfer-encodings but not content encoding.
Based on the thread, it seemed like there was no simple "spec

> It seems what you want to hash depends a bit on the API. Most APIs on

Yes, and I think what the SW API exposes and SRI's what to hash will
be the same.

> the platform today, including XMLHttpRequest, expose the payload body.

Per above, are you referring here to "with gzip content encoding
removed" or without?

> fetch() exposes the message body (as a stream, though the only methods
> available on that stream undo the content codings and give you the
> payload body as a result).

So, fetch, XHR both use body with content codings removed? What
happens when it is a tar.gz file with Content-Encoding: gzip? Does
fetch and XHR remove the codings?


> <a download> is likely not fully defined.
> From what I understood from bz it will depend on what is being
> downloaded and what the file extension situation looks like...

yeah.  SW can interact with a download too, right? What will that look like?


thanks
Dev
Received on Thursday, 3 July 2014 16:38:35 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC