- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Sat, 15 Mar 2014 00:54:41 -0400
- To: Devdatta Akhawe <dev.akhawe@gmail.com>
- CC: Mark Nottingham <mnot@mnot.net>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 3/15/14 12:42 AM, Devdatta Akhawe wrote: > We are adding a new opt-in feature so we can be a bit more strict. How > about this: Spec mandates that for links with integrity attribute, the > browser will always remove content encodings: both for calculating > hash and for saving to disk. My suspicion is that the way this will work in practice is that people will start adding the attributes before browsers start shipping the feature.... and then behavior will suddenly change in inexplicable ways. > If you want to provide gzip'ed downloads and also want to use > integrity, you have to then provide gzip'ed downloads without sending > the "Content-Encoding: gzip" header. Unfortunately, the default web server in many cases is to serve .tar.gzip files with Content-Encoding: gzip, at least last I checked. I'm not talking about things like dropbox, which are presumably very intentional about the headers they send with a download. -Boris
Received on Saturday, 15 March 2014 04:55:12 UTC