W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: [CSP] Inconsistency between Source hash introduction and Source hash usage

From: Mike West <mkwst@google.com>
Date: Mon, 27 Oct 2014 23:14:38 +0100
Message-ID: <CAKXHy=ejbuqKJFfg5nyfYC5Dfgpoz6_tgbJw3Ri5g14+jcLV3w@mail.gmail.com>
To: Keiji Takeda <keiji@sfc.keio.ac.jp>
Cc: Yagihashi Yu <yagihash@sfc.wide.ad.jp>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Fixed in
https://github.com/w3c/webappsec/commit/19b3773c51465fd2ea32f6e0be7b39325a949b89
.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Mon, Oct 27, 2014 at 8:09 PM, Mike West <mkwst@google.com> wrote:

> Ah ha! Thanks! :)
>
> -mike
>
> --
> Mike West <mkwst@google.com>
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
> Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>
> On Mon, Oct 27, 2014 at 8:08 PM, Keiji Takeda <keiji@sfc.keio.ac.jp>
> wrote:
>
>> Mike,
>>
>> Period('.') is missing...
>>
>> > 'Hello, world'
>>
>> should be
>>
>> > 'Hello, world.'
>>
>> Keiji Takeda
>>
>> (2014/10/28 2:25), Mike West wrote:
>>
>>> You're right that the spec is incorrect. That said, my results don't
>>> match yours. :)
>>>
>>> mini [18:24] ~ $ echo -n "alert('Hello, world');" | openssl dgst -sha256
>>> -binary | openssl enc -base64
>>> b+jOy0DlwBaNGMxhuGypbGgvtY9mVoy1LlMALqJWsoY=
>>>
>>> How did you end up with 'qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='?
>>>
>>> -mike
>>>
>>> --
>>> Mike West <mkwst@google.com <mailto:mkwst@google.com>>
>>> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>>>
>>> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
>>> Registergericht und -nummer: Hamburg, HRB 86891
>>> Sitz der Gesellschaft: Hamburg
>>> Geschäftsführer: Graham Law, Christine Elizabeth Flores
>>> (Sorry; I'm legally required to add this exciting detail to emails.
>>> Bleh.)
>>>
>>> On Fri, Oct 24, 2014 at 4:52 PM, Yagihashi Yu <yagihash@sfc.wide.ad.jp
>>> <mailto:yagihash@sfc.wide.ad.jp>> wrote:
>>>
>>>     I noticed descriptions about source hash are inconsistent in CSP
>>>     Lv.2 Last Call Working Draft.
>>>     http://www.w3.org/TR/CSP11/
>>>     http://www.w3.org/TR/CSP2/
>>>
>>>     In 4.2.5, the draft says "Let actual be the base64 encoding of the
>>>     binary digest of element’s content using the algorithm algorithm.”,
>>>     however in 7.17.2, says "For example, the SHA-256 digest of
>>>     alert('Hello, world.'); is
>>>     YWIzOWNiNzJjNDRlYzc4MTgwMDhmZDlkOWI0NTAyMjgyY2MyMWJlMWUyNjc1
>>> ODJlYWJhNjU5MGU4NmZmNGU3OAo=.”.
>>>     The section 4.2.5 describe correctly according to the actual
>>>     implementation for Google Chrome.
>>>     The correct base64 encoded SHA-256 binary digest of alert(‘Hello,
>>>     world.’); is qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng=.
>>>
>>>     It’s ovbious that the former is correct, and the latter is wrong
>>>     though, this mistake is sometimes misleading.
>>>     (It mislead me actually…)
>>>
>>>     /**
>>>       * Yu Yagihashi
>>>       * yagihash@sfc.wide.ad.jp <mailto:yagihash@sfc.wide.ad.jp>
>>>       */
>>>
>>>
>>>
>>
>
Received on Monday, 27 October 2014 22:15:28 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC