-
Notifications
You must be signed in to change notification settings - Fork 99
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Forgiving base64 #566
Comments
I guess https://www.rfc-editor.org/rfc/rfc4648#section-3.5 in particular is a thing that our algorithm addresses explicitly. We ignore some bits instead of checking they are 0. That's a thing I haven't seen a single browser-based base64/base64url implementation enforce. Number of So we might need to define something equivalent for base64url given CSP/SRI use that and might not rely on encoding alone. Related: tc39/proposal-arraybuffer-base64#5. |
Something to consider here is whether you might want to recommend that implementations avoid creating side-channels (esp. through timing) based on the content of the information being encoded. There are a number of cases where the information that is being passed should not be leaked to other processes, but might be if the encoding function were highly variable. |
Maybe we should instead encourage folks to not use base64 for such cases? I doubt any browser has base64 code paths that take that into account and I'm not sure we should have those. |
Firefox considers it, at least in those few places we moved to a CT encoder, which at least includes base64url in Push. |
@martinthomson could you point to the cases in the Push specification that warrant that? Thanks! |
Nothing concrete in the spec. But the values are secrets and I've learned that you don't write code that changes what it does based on the value of a secret. |
The simdutf library (used in Node.js for base64 decoding) implements forgiving base64. As far as we know, it is fully compliant. One issue that I have encountered is that there is no base64url equivalent that is explicit. |
Is forgiving base64 essentially
?
It's a lot clearer about erroneous inputs though so if we decide to change this we want to make sure we end up making the same requirements.
cc @zcorpan @bakkot
The text was updated successfully, but these errors were encountered: