[whatwg] validate attribute in <A>

Ian Hickson ian at hixie.ch
Mon Nov 5 15:19:45 PST 2007 

On Sat, 3 Nov 2007, Adam Barth wrote:
> 
> One scenario where something like this would be useful is for a site 
> like eBay that serves iframes and img tags pointing to third-party 
> content after reviewing that content for malware, scams, and adult 
> content.  Without this mechanism, the content they review might change 
> between the time they review it and the time their users load it.
> 
> By specifying the hash of the content, they can ensure that the user 
> agent loads exactly the content they reviewed.  (Of course, by ensuring 
> that the content specifies the hashes of all content it loads, eBay can 
> review all the content loaded by the iframe.)  Their alternative is to 
> host all the content themselves, but this would require a large 
> investment in server capacity as they reference a great deal of outside 
> content in their item listings.

On Sat, 3 Nov 2007, Adam Barth wrote:
> 
> Another scenario where this would be very useful is for HTTPS sites. 
> Currently, every HTTPS site must host all of its content over HTTPS, 
> including script, style sheets, images, SWF movies, etc.  If the hosts 
> any of this content over HTTP, an active network attacker can replace 
> that content with his own.  Loading scripts, style sheets, and SWF 
> movies over HTTP is disaster as the attacker can inject his own scripts 
> and control the secure session.  Sadly, this greatly increases the cost 
> of serving an HTTPS site because these large objects must be encrypted 
> for each client and cannot be cached by user agents.
> 
> Fortunately, confidentiality is often not required for these embedded 
> objects.  The scripts and images are all publicly available.  What is 
> required, however, is integrity.  If the site can specify the hash of 
> these objects when embedding them over HTTP, integrity can be guaranteed 
> and the performance benefits of HTTP can be reaped.

Philip brought up a good point on IRC which is that hashing the entity 
doesn't protect against changes to the headers (and hashing the headers 
isn't workable since they change).

I'm not sure it's worth it.

Those are good use cases, though.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list