W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: [CSP] Inconsistency between Source hash introduction and Source hash usage

From: Mike West <mkwst@google.com>
Date: Mon, 27 Oct 2014 18:25:30 +0100
Message-ID: <CAKXHy=fNtzrNFOPoqPe6htvbfkdpZJAuMisrFHWXCnZnDW0SRQ@mail.gmail.com>
To: Yagihashi Yu <yagihash@sfc.wide.ad.jp>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
You're right that the spec is incorrect. That said, my results don't match
yours. :)

mini [18:24] ~ $ echo -n "alert('Hello, world');" | openssl dgst -sha256
-binary | openssl enc -base64
b+jOy0DlwBaNGMxhuGypbGgvtY9mVoy1LlMALqJWsoY=

How did you end up with 'qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='?

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Fri, Oct 24, 2014 at 4:52 PM, Yagihashi Yu <yagihash@sfc.wide.ad.jp>
wrote:

> I noticed descriptions about source hash are inconsistent in CSP Lv.2 Last
> Call Working Draft.
> http://www.w3.org/TR/CSP11/
> http://www.w3.org/TR/CSP2/
>
> In 4.2.5, the draft says "Let actual be the base64 encoding of the binary
> digest of element’s content using the algorithm algorithm.”, however in
> 7.17.2, says "For example, the SHA-256 digest of alert('Hello, world.'); is
> YWIzOWNiNzJjNDRlYzc4MTgwMDhmZDlkOWI0NTAyMjgyY2MyMWJlMWUyNjc1ODJlYWJhNjU5MGU4NmZmNGU3OAo=.”.
> The section 4.2.5 describe correctly according to the actual
> implementation for Google Chrome.
> The correct base64 encoded SHA-256 binary digest of alert(‘Hello,
> world.’); is qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng=.
>
> It’s ovbious that the former is correct, and the latter is wrong though,
> this mistake is sometimes misleading.
> (It mislead me actually…)
>
> /**
>  * Yu Yagihashi
>  * yagihash@sfc.wide.ad.jp
>  */
>
>
Received on Monday, 27 October 2014 17:26:20 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC