Ticket #178 (closed design: fixed)
Content-MD5 and partial responses
|Reported by:||email@example.com||Owned by:||firstname.lastname@example.org|
|Component:||p3-payload||Severity:||Active WG Document|
After a quick look, my reading is that a Content-MD5 header on a partial response reflects the bytes in that message, rather than the whole (non-partial) response:
The entity-header field "Content-MD5", as defined in [RFC1864], is an MD5 digest of the entity-body for the purpose of providing an end-to- end message integrity check (MIC) of the entity-body. (Note: a MIC is good for detecting accidental modification of the entity-body in transit, but is not proof against malicious attacks.)
Content-MD5 = "Content-MD5" ":" OWS Content-MD5-v Content-MD5-v = <base64 of 128 bit MD5 digest as per [RFC1864]>
The Content-MD5 header field MAY be generated by an origin server or client to function as an integrity check of the entity-body. Only origin servers or clients MAY generate the Content-MD5 header field; proxies and gateways MUST NOT generate it, as this would defeat its value as an end-to-end integrity check. Any recipient of the entity-body, including gateways and proxies, MAY check that the digest value in this header field matches that of the entity-body as received.
The MD5 digest is computed based on the content of the entity-body, including any content-coding that has been applied, but not including any transfer-encoding applied to the message-body. If the message is received with a transfer-encoding, that encoding MUST be removed prior to checking the Content-MD5 value against the received entity.
Note that a multipart message is allowed to have C-MD5 on individual parts; The entity-body for composite types MAY contain many body-parts, each with its own MIME and HTTP headers (including Content-MD5, Content-Transfer-Encoding, and Content-Encoding headers).
RFC3230 (n.b., - standards track) agrees:
HTTP/1.1 defines a Content-MD5 header that allows a server to include a digest of the response body. However, this is specifically defined to cover the body of the actual message, not the contents of the full file (which might be quite different, if the response is a Content- Range, or uses a delta encoding).
The most immediate problem here is that a cache that combines multiple ranges can't change Content-MD5, can't strip it, and if it forwards it, it will be incorrect.
- Owner email@example.com deleted
- Status changed from assigned to new
- Milestone changed from 10 to unassigned
comment:15 Changed 3 years ago by firstname.lastname@example.org
- Owner changed from email@example.com to firstname.lastname@example.org
- Milestone changed from unassigned to 14
comment:17 Changed 3 years ago by email@example.com
- Status changed from new to closed
- Resolution set to incorporated
comment:18 Changed 3 years ago by firstname.lastname@example.org
- Status changed from closed to reopened
- Resolution incorporated deleted
comment:19 Changed 3 years ago by email@example.com
- Status changed from reopened to closed
- Resolution set to fixed