W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

[CSP] Inconsistency between Source hash introduction and Source hash usage

From: Yagihashi Yu <yagihash@sfc.wide.ad.jp>
Date: Fri, 24 Oct 2014 23:52:17 +0900
Message-Id: <AB66CDFC-E54E-44E4-99A5-19501F2DCCB0@sfc.wide.ad.jp>
To: public-webappsec@w3.org
I noticed descriptions about source hash are inconsistent in CSP Lv.2 Last Call Working Draft.

In 4.2.5, the draft says "Let actual be the base64 encoding of the binary digest of element’s content using the algorithm algorithm.”, however in 7.17.2, says "For example, the SHA-256 digest of alert('Hello, world.'); is YWIzOWNiNzJjNDRlYzc4MTgwMDhmZDlkOWI0NTAyMjgyY2MyMWJlMWUyNjc1ODJlYWJhNjU5MGU4NmZmNGU3OAo=.”.
The section 4.2.5 describe correctly according to the actual implementation for Google Chrome.
The correct base64 encoded SHA-256 binary digest of alert(‘Hello, world.’); is qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng=. 

It’s ovbious that the former is correct, and the latter is wrong though, this mistake is sometimes misleading.
(It mislead me actually…)

 * Yu Yagihashi
 * yagihash@sfc.wide.ad.jp

Received on Saturday, 25 October 2014 12:12:25 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:41 UTC