W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

[Integrity] hash in HTTP header field

From: Julian Reschke <julian.reschke@gmx.de>
Date: Tue, 16 Sep 2014 08:58:47 +0200
Message-ID: <5417DFA7.3000107@gmx.de>
To: Ángel González <angel@16bits.net>, public-webappsec@w3.org
On 2014-09-16 01:42, Ángel González wrote:
> ...
> Open idea:
> Add a Content-integrity http header akin to Content-MD5 but with a named
> information uri. Checking that a GET of the url returns that header will
> help the schema to still work avoiding origin confusion problems (and
> obviously any body with such header MUST match the hash).
> It would be useful to add an equivalent If-None-Match (or even extend
> those headers for dealing with ni uris in addition to etags) but I'm not
> convinced about that.
> ...

Yes. In RFC 7231 we have deprecated Content-MD5 because of the use of 
MD5, and interop problems with range requests (see 

See also HTTPbis mailing list thread around 

Best regards, Julian
Received on Tuesday, 16 September 2014 06:59:22 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:40 UTC