[whatwg] checksum attribute in a href tag

Ian Hickson ian at hixie.ch
Fri Oct 19 09:49:01 PDT 2012


On Fri, 19 Oct 2012, A. Rauschenbach wrote:
> 
> I'm sick of coping the checksum of important files by hand or QR-code to 
> the download manager or console.
> 
> To solve the problem I suggest a checksum attribute in the <a href> tag.
> 
> example: <a href="http://example.com/important.file"
> checksum="MD5:32c3675211199b671fbca1304d819289;SHA1:6e1ddeede3979c953788a3499616af35ee5fd772">download</a>
> 
> Another advantage is that your visitors (browser) can verify that the 
> document (e.g. a pdf) you linked to is still the same.

What is the attack scenario you are trying to avoid?

Without a discussion of what problem you're trying to solve, it's unclear 
how to evaluate the proposal.

The idea of a hash="" or checksum="" attribute on <a href> has come up 
before -- about once a year, as far as I can tell! -- but it's always been 
found lacking in one way or another.

e.g.: 
   http://lists.w3.org/Archives/Public/public-whatwg-archive/2006Nov/thread.html#msg233
   http://lists.w3.org/Archives/Public/public-whatwg-archive/2007Jul/0049.html
   http://lists.w3.org/Archives/Public/public-whatwg-archive/2008Dec/0376.html

(in the third one, search for "fingerprint".)

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'



More information about the whatwg mailing list