[whatwg] validate attribute in <A>

Sat Nov 3 02:31:03 PDT 2007

On Wed, 25 Jan 2006, Mike Hoye wrote:
> 
> Hi, all. I hope this hasn't been proposed before, but if it is my 
> googlage is failing me. My proposal is for the addition of a "validate" 
> attribute to the the <a> element that would let the client verify the 
> content of a link as it comes in, and either put up a warning, a choice 
> or just silently drop the incoming data, depending on a user preference.
> 
> The validate attribute would describe an algorithm to employ and a 
> result to compare it to; for example, somebody downloading the en-US 
> version of FF 1.5 from the Mozilla.com homepage could click on a link 
> like
> 
> <a href="http://foo.com/mozilla-i686.tgz"
>    validate="{md5}b63fcdf4863e59c93d2a29df853b6046">
> 
> and the client could verify as it comes in that it does at least have 
> the md5sum that's advertised.  User notifications could include "no 
> validation", "successfully validated" and "failed validation", and act 
> according to the user's wishes in each case.

It's not entirely clear to me what problem this is solving; but wouldn't 
content-MD5 (RFC 1864) be a better solution?

On Wed, 25 Jan 2006, James Graham wrote:
> 
> It seems to make phishing scams easier (or at least easier to make 
> convincing). If evilsite.com has a hacked version of Firefox accessible 
> via an <a validate="hash_from_hacked_firefox"> then anyone downloading 
> Firefox from evilsite.com will be told that the download "successfully 
> validated" which (misleadingly) suggests it is the real Firefox.
> 
> That doesn't leave the attribute totally useless as it would catch the 
> case where a trustworthy website used a mirror network which was 
> compromised. On balance though I don't see the security effect of this 
> as a net positive (but I'm not a security guy so I'm happy to be 
> corrected).

On Thu, 26 Jan 2006, Alexey Feldgendler wrote:
> 
> This can only be useful on the pages like "Select a mirror to download 
> the file from". It should be made clear that this is not intended for 
> third-party authors referring to downloadable files, as direct links to 
> such files are not mirror-friendly.
> 
> Also, the user agent UI should make it clear when indicating a "valid" 
> download that the downloaded file is "considered valid by mozilla.com", 
> and not just "valid".
> 
> I think that another one, probably more useful, attribute for <a> should 
> be "filesize" or something like that. It would both serve for additional 
> validation (for example, there's no need to even start the download 
> after seeing a mismatching Content-Length header) and provide indication 
> about the file size for the user (the UA could even calculate the 
> estimate download time).

On Thu, 26 Jan 2006, Mike Hoye wrote:
> 
> It's also useful in places where that choice is made for you behind the 
> scenes, which is more and more frequently the case. When I click on the 
> link on mozilla.com, for example, I start downloading a file from any 
> one of a (presumably large) number of places - for the naive end user, 
> there's not yet an easy way to be reasonably confident that this file 
> you're downloading from ftp.rz.tu-bs.de (sometimes something with the 
> word "mozilla" in the name, sometimes netscape, sometimes just an IP 
> address) is the file you're supposed to be getting.
> 
> I fact, now that I look at it, FF 1.5 doesn't even tell you where that 
> file is coming from, or notify you that it's not coming from mozilla.com 
> - it just pulls it in.

I think James, Alexey, and Mike make good points here.

I'm not convinced there's a pressing need for such a feature, partially 
because it's not entirely clear to me what problem it is solving. For 
downloads, code signing seems like a better solution all-round.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'