W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2014

Re: Couple comments on Subresource Integrity

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Wed, 26 Mar 2014 10:59:57 +0530
Message-ID: <CAPfop_1n-4cV8gj08LE5dx4sGB8PuVMTAyO2CCwLH+yeoCJ-dQ@mail.gmail.com>
To: Trevor Perrin <trevp@trevp.net>
Cc: Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> I'll have to think more about it.  Do you need the HTML to specify
> other content negotiation headers, like Accept-Language,
> Accept-Charset, Accept-Encoding, etc?

Not sure. But, the RFC syntax allows us to add these (via similar
syntax as content-type) if needed later. Contrast with including it in
the hash, where we will then be stuck. But, if we get consensus
that 20 page RFC is not needed for our simple use cases, we can
consider simplifying it. In any case, as you note:

> Anyways, I think this spec is a great idea and how you base64 the hash
> doesn't really matter.  I'd be happy to drop this while bigger issues
> are discussed.

Thanks! As you yourself noticed, the dependency on 6920 isn't huge and
we would really appreciate feedback on the other parts of the spec for
now. The 6920 syntax does give us some advantages (e.g., the ones I
pointed out earlier).

>
> So you probably need to think more about things like registering algo
> names, hash truncation, hash agility, content negotiation,
> canonicalization, etc.

yes! Feedback on these things would be great. We try to talk about it,
but more feedback will be great. Also see the "What should we hash"
thread in the archives
http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0023.html

thanks
Dev
Received on Wednesday, 26 March 2014 05:30:44 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC