Skip to content

Specify hash function naming #89

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
fulldecent opened this issue Jan 3, 2020 · 5 comments
Closed

Specify hash function naming #89

fulldecent opened this issue Jan 3, 2020 · 5 comments

Comments

@fulldecent
Copy link
Contributor

The current specification shows the example:

<script src="https://example.com/example-framework.js"
        integrity="sha384-Li9vy3DqF8tnTXuiaAJuML3ky+er10rcgNR/VqsVpcw+ThHmYcwiB1pbOxEbzJr7"
        crossorigin="anonymous"></script>

But elsewhere it refers to the same hash function as "SHA-384". Please specify which spelling is normative.
@jonathanKingston
Copy link
Contributor

I think this is somewhat valid however the spec does make some differences in their usages.

https://www.w3.org/TR/CSP2/#source-list-valid-hashes explains the mapping of SHA-384 to the sha384 hash-algo prefix.

However there is one other usage which is perhaps confusing:

which would allow the user agent to accept two different content payloads, one of which matches the first SHA384 hash value and the other matches the second SHA384 hash value.

I suspect these SHA384 should have actually been "sha384" given that it's describing the prefix and not the algo.

I think there are two points that seem valid here:

  • Link better to the parsing algorithm of CSP or separate it out so both specifications can use it.
  • Fix the sentence I mentioned above.

@jonathanKingston
Copy link
Contributor

Ah I see there is #84 (comment) which covers most of my comment. That sentence is still an issue though.

@devd
Copy link
Contributor

devd commented Jan 4, 2020 via email

@jonathanKingston
Copy link
Contributor

After much deliberation I think the second sentence actually is clearer given it's non-normative anyway:
Uploading image.png…

@annevk annevk mentioned this issue Jan 7, 2020
Merged
@devd
Copy link
Contributor

devd commented Jan 11, 2020

fixed per above.

@devd devd closed this as completed Jan 11, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@devd @jonathanKingston @fulldecent