Open ioggstream opened 5 years ago
@jyasskin maybe related to https://github.com/WICG/webpackage/blame/master/draft-yasskin-http-origin-signed-responses.md#L352
An alternative way of fixing this is to state the problem in more generic terms. For example, all resource metadata is open to tampering; any methods that attempt to address tampering of the digest header MUST also consider mandatory elements that compose Digest: Content-Type and Content-Encoding.
While we could provide those informations in a BCP (eg. like it was done in https://tools.ietf.org/html/rfc6819) I think that it could have sense to provide them here.
Thinking twice, I don't know if the Security Consideration can contain "MUST" & co.
Still imho we should state clearly that:
Let's see how other specs address this kind of issues.
This PR
States that:
content-type
.content-encodings
too.