[whatwg] checksum attribute in a href tag

Ian Hickson ian at hixie.ch
Fri Oct 19 09:49:01 PDT 2012

On Fri, 19 Oct 2012, A. Rauschenbach wrote:
> I'm sick of coping the checksum of important files by hand or QR-code to 
> the download manager or console.
> To solve the problem I suggest a checksum attribute in the <a href> tag.
> example: <a href="http://example.com/important.file"
> checksum="MD5:32c3675211199b671fbca1304d819289;SHA1:6e1ddeede3979c953788a3499616af35ee5fd772">download</a>
> Another advantage is that your visitors (browser) can verify that the 
> document (e.g. a pdf) you linked to is still the same.

What is the attack scenario you are trying to avoid?

Without a discussion of what problem you're trying to solve, it's unclear 
how to evaluate the proposal.

The idea of a hash="" or checksum="" attribute on <a href> has come up 
before -- about once a year, as far as I can tell! -- but it's always been 
found lacking in one way or another.


(in the third one, search for "fingerprint".)

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list