Comments (8)
I guess https://www.rfc-editor.org/rfc/rfc4648#section-3.5 in particular is a thing that our algorithm addresses explicitly. We ignore some bits instead of checking they are 0. That's a thing I haven't seen a single browser-based base64/base64url implementation enforce. Number of =
is enforced though.
So we might need to define something equivalent for base64url given CSP/SRI use that and might not rely on encoding alone.
Related: tc39/proposal-arraybuffer-base64#5.
from infra.
from infra.
Something to consider here is whether you might want to recommend that implementations avoid creating side-channels (esp. through timing) based on the content of the information being encoded. There are a number of cases where the information that is being passed should not be leaked to other processes, but might be if the encoding function were highly variable.
from infra.
Maybe we should instead encourage folks to not use base64 for such cases? I doubt any browser has base64 code paths that take that into account and I'm not sure we should have those.
from infra.
Firefox considers it, at least in those few places we moved to a CT encoder, which at least includes base64url in Push.
from infra.
@martinthomson could you point to the cases in the Push specification that warrant that? Thanks!
from infra.
Nothing concrete in the spec. But the values are secrets and I've learned that you don't write code that changes what it does based on the value of a secret.
from infra.
The simdutf library (used in Node.js for base64 decoding) implements forgiving base64. As far as we know, it is fully compliant. One issue that I have encountered is that there is no base64url equivalent that is explicit.
from infra.
Related Issues (20)
- Consider defining "failure" HOT 2
- Expand on list indexing syntax
- Conditional abort edge case HOT 2
- "do while" loops HOT 5
- Iteration and append methods for byte sequence used in standards are undefined HOT 1
- Skipping an item while iterating is undefined HOT 1
- Define monkeypatching HOT 3
- Consider defining "unique internal value"
- Explicit unions HOT 1
- definitions of "Continue" and "Break" should be clear that they apply to the innermost loop
- Define ordering for sets and maps? HOT 4
- Define remainder (and/or modulo) HOT 2
- Peek operation for stacks
- "Parse JSON to Infra" algorithms shouldn't require a current JS realm HOT 5
- Define set difference
- Give some examples of how to use structs
- Add a clone method for struct
- tracking/icon for features that might expose use of accessibility tools HOT 4
- Ordered set insert requires duplicate checks HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from infra.