W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

[Integrity] hash in HTTP header field

From: Julian Reschke <julian.reschke@gmx.de>
Date: Tue, 16 Sep 2014 08:58:47 +0200
Message-ID: <5417DFA7.3000107@gmx.de>
To: Ángel González <angel@16bits.net>, public-webappsec@w3.org
On 2014-09-16 01:42, Ángel González wrote:
> ...
> Open idea:
> Add a Content-integrity http header akin to Content-MD5 but with a named
> information uri. Checking that a GET of the url returns that header will
> help the schema to still work avoiding origin confusion problems (and
> obviously any body with such header MUST match the hash).
> It would be useful to add an equivalent If-None-Match (or even extend
> those headers for dealing with ni uris in addition to etags) but I'm not
> convinced about that.
> ...

Yes. In RFC 7231 we have deprecated Content-MD5 because of the use of 
MD5, and interop problems with range requests (see 
<https://tools.ietf.org/wg/httpbis/trac/ticket/178>).

See also HTTPbis mailing list thread around 
<http://lists.w3.org/Archives/Public/ietf-http-wg/2014JulSep/2215.html>.

Best regards, Julian
Received on Tuesday, 16 September 2014 06:59:22 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC