[whatwg] hash Attribute

Michel Fortin michel.fortin at michelf.com
Wed Nov 8 04:53:55 PST 2006

Le 8 nov. 2006 à 0:42, XcomCoolDude a écrit :

> How about a hash attribute for all elements that link to external  
> files (a, img, etc.)?
> It would allow you to pass an MD5, SHA-1, SHA-256, or other hash to  
> a user-agent for automatic comparison with the linked file.
> I'd suggest a format where the hash algorithm is listed, followed  
> by a forward slash and then the hash itself
> Examples:
> hash="MD5/9e107d9d372bb6826bd81d3542a419d6"
> hash="SHA-1/2fd4e1c6 7a2d28fc ed849ee1 bb76e739 1b93eb12"
> hash="SHA-256/d7a8fbb3 07d78094 69ca9abc b0082e4f 8d5651e4 6d3cdb76  
> 2d02d0bf 37c9e592"

I wonder if "checksum" wouldn't be a better name: it contains the  
word "check" which better describe the purpose of the whole thing.  
But whatever the name, I like the idea of having an automatic mean  
for the browser to check the validity of downloaded documents. Many  
download pages already offer such checksums, but I rarely take the  
time to check manually after the download.

Charles Iliya Krempeaux suggested to include the hash as an HTTP  
header. This would cover the case of an error in the transmission of  
a document, but it wouldn't in the case a file got maliciously  
modified on the server. In many cases, the web page for downloading  
the file is on a different server than the file itself; by providing  
the hash on the download page and checking it against the actual file  
you've received you get additional security against malicious file  
substitutions. This becomes increasingly important when files are  
mirrored on a couple of servers at different locations.

Michel Fortin
michel.fortin at michelf.com

More information about the whatwg mailing list