Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Why can't I get a file checksum if I'm on http? #238

Closed
StephenLynx opened this issue Apr 30, 2020 · 2 comments
Closed

Why can't I get a file checksum if I'm on http? #238

StephenLynx opened this issue Apr 30, 2020 · 2 comments
Labels
question

Comments

@StephenLynx
Copy link

What even is the purpose of that limitation? HTTPS doesn't even cover access to the filesystem? What were you thinking?
#28

This is downright stepping on software freedoms and keeping me from using my software as I wish. If someone wants to run a site in plain http, that's his problem.
@twiss
Copy link
Member

twiss commented May 4, 2021

The issue is that, if a web app computes a checksum of a file, and displays it to the user, the user might trust the file based on that (checksums are often used as a security measure), not realizing that anyone could have modified the code. Using Web Crypto on HTTP is therefore almost always insecure, thus it's better to prevent this massive footgun, and encourage web developers to use HTTPS in these cases. This is meant to protect end users.

@twiss twiss closed this as completed May 4, 2021
@StephenLynx
Copy link
Author

This is none of the spec's business. That's between the software and their end-users.

@bradisbell bradisbell mentioned this issue Nov 22, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sideshowbarker @twiss @StephenLynx