[whatwg] checksum attribute in a href tag
Tab Atkins Jr.
jackalmage at gmail.com
Fri Oct 19 12:22:09 PDT 2012
On Fri, Oct 19, 2012 at 11:46 AM, A. Rauschenbach <rauschenbach at annuo.de> wrote:
> Am 2012-10-19 18:49, schrieb Ian Hickson:
>> What is the attack scenario you are trying to avoid?
>> Without a discussion of what problem you're trying to solve, it's unclear
>> how to evaluate the proposal.
>> The idea of a hash="" or checksum="" attribute on <a href> has come up
>> before -- about once a year, as far as I can tell! -- but it's always been
>> found lacking in one way or another.
> I don't want to avoid any attack scenario!
> I want trusted information.
> If I write an article and link to other documents I want a solution that the
> visitor can be sure that the document he opens is the document I originally
> linked to. (And if its not he gets informed. So he knows that the
> information maybe differ from the one the article talks about.)
That's also an attach scenario. ^_^
I doubt it would be very useful to use this for confirming that
arbitrary destination pages are the same. Those can change in minor,
unimportant ways all the time; a lot of pages include some form of
dynamic content that means they'll almost *never* be exactly the same
from pageload to pageload. It seems highly likely that trying to use
a checksum for this scenario would simply result in the browser
over-warning people, thus making the warning useless.
Using it specifically to defend against attack scenarios in
*downloads*, on the other hand, is more likely to be useful.
Downloads don't change nearly as much as pages do, so a change is more
likely to be a result of something you don't want, rather than simply
However, check out the threads that Hixie referenced. The upsides and
downsides of something like this have been discussed quite a bit
More information about the whatwg