W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2014

Re: [integrity] What should we hash?

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Sat, 15 Mar 2014 00:54:41 -0400
Message-ID: <5323DD11.2090007@mit.edu>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
CC: Mark Nottingham <mnot@mnot.net>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 3/15/14 12:42 AM, Devdatta Akhawe wrote:
> We are adding a new opt-in feature so we can be a bit more strict. How
> about this: Spec mandates that for links with integrity attribute, the
> browser will always remove content encodings: both for calculating
> hash and for saving to disk.

My suspicion is that the way this will work in practice is that people 
will start adding the attributes before browsers start shipping the 
feature....  and then behavior will suddenly change in inexplicable ways.

> If you want to provide gzip'ed downloads and also want to use
> integrity, you have to then provide gzip'ed downloads without sending
> the "Content-Encoding: gzip" header.

Unfortunately, the default web server in many cases is to serve 
.tar.gzip files with Content-Encoding: gzip, at least last I checked.

I'm not talking about things like dropbox, which are presumably very 
intentional about the headers they send with a download.

-Boris
Received on Saturday, 15 March 2014 04:55:12 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC