Re: [integrity] What should we hash?

On 3/15/14 12:42 AM, Devdatta Akhawe wrote:
> We are adding a new opt-in feature so we can be a bit more strict. How
> about this: Spec mandates that for links with integrity attribute, the
> browser will always remove content encodings: both for calculating
> hash and for saving to disk.

My suspicion is that the way this will work in practice is that people 
will start adding the attributes before browsers start shipping the 
feature....  and then behavior will suddenly change in inexplicable ways.

> If you want to provide gzip'ed downloads and also want to use
> integrity, you have to then provide gzip'ed downloads without sending
> the "Content-Encoding: gzip" header.

Unfortunately, the default web server in many cases is to serve 
.tar.gzip files with Content-Encoding: gzip, at least last I checked.

I'm not talking about things like dropbox, which are presumably very 
intentional about the headers they send with a download.

-Boris

Received on Saturday, 15 March 2014 04:55:12 UTC