W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

[CSP] Inconsistency between Source hash introduction and Source hash usage

From: Yagihashi Yu <yagihash@sfc.wide.ad.jp>
Date: Fri, 24 Oct 2014 23:52:17 +0900
Message-Id: <AB66CDFC-E54E-44E4-99A5-19501F2DCCB0@sfc.wide.ad.jp>
To: public-webappsec@w3.org
I noticed descriptions about source hash are inconsistent in CSP Lv.2 Last Call Working Draft.
http://www.w3.org/TR/CSP11/
http://www.w3.org/TR/CSP2/

In 4.2.5, the draft says "Let actual be the base64 encoding of the binary digest of element’s content using the algorithm algorithm.”, however in 7.17.2, says "For example, the SHA-256 digest of alert('Hello, world.'); is YWIzOWNiNzJjNDRlYzc4MTgwMDhmZDlkOWI0NTAyMjgyY2MyMWJlMWUyNjc1ODJlYWJhNjU5MGU4NmZmNGU3OAo=.”.
The section 4.2.5 describe correctly according to the actual implementation for Google Chrome.
The correct base64 encoded SHA-256 binary digest of alert(‘Hello, world.’); is qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng=. 

It’s ovbious that the former is correct, and the latter is wrong though, this mistake is sometimes misleading.
(It mislead me actually…)

/**
 * Yu Yagihashi
 * yagihash@sfc.wide.ad.jp
 */
Received on Saturday, 25 October 2014 12:12:25 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC