W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2014

Re: [integrity] What should we hash?

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Wed, 12 Mar 2014 23:27:09 -0700
Message-ID: <CAPfop_0h3A359Y37W1Z69qcqE6f4eKshPaqX5C-7fHm_n-n+Fw@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: Mark Nottingham <mnot@mnot.net>, "public-webappsec@w3.org" <public-webappsec@w3.org>
I think the browser should undo the content-encoding for downloads
that include integrity metadata. It is unnecessary since the browser
will throw it away anyhow but useful for spec simplicity.  We should
mention this in the spec and warn developers relying on integrity
about this gotcha.

thanks
Dev

On 12 March 2014 23:15, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> On 3/13/14 2:09 AM, Devdatta Akhawe wrote:
>>
>> The spec does talk about downloads. Seems to me that my browser does
>> undo the encodings when I download something. Say I save a text file
>> sent over HTTP. with Content Encoding set to gzip. It won't give me a
>> txt.gz file, right?
>
>
> It depends.
>
> What Firefox implements is the following.  When saving a file, we compare
> the declared Content-Encoding to the extension of the filename we're
> planning to save the file with (this last typically comes from the URL or
> from a Content-Disposition header from the server).  If the Content-Encoding
> matches the filename extension, we leave the Content-Encoding in place.
> Otherwise we undo it.
>
> As a concrete example, if we're saving http://example.com/foo.txt.gz and
> it's sent as "Content-Type: text/plain" and "Content-Encoding: gzip", we
> will save the data as-is (after undoing any Transfer-Encodings) and name the
> file "foo.txt.gz".  But if we're saving http://example.com/foo.txt sent with
> the same headers, we'll run it through gunzip before sending it to disk, and
> name the file "foo.txt".
>
> This is particularly important for the common case of .tar.gz or .tgz files
> that get sent as "Content-Type: application/x-tar" and "Content-Encoding:
> gzip" and which no one wants to be gunzipped when saving....
>
> -Boris
Received on Thursday, 13 March 2014 06:28:50 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC