Features/HTTP Digest header verification

From MozillaWiki
Jump to: navigation, search
Please use "Edit with form" above to edit this page.


Hash validation after binary download completes successfully
Stage `
Status `
Release target `
Health `
Status note `


Product manager `
Directly Responsible Individual `
Lead engineer `
Security lead `
Privacy lead `
Localization lead `
Accessibility lead `
QA lead `
UX lead `
Product marketing lead `
Operations lead `
Additional members `

Open issues/risks


Stage 1: Definition

1. Feature overview

Sometimes downloads have an error during transfer. HTTP has a 'Digest' header field (RFC 3230, RFC 5843) which allows a server to give the hash of a file. Firefox could use this hash from the 'Digest' header to validate the file after the binary download completes successfully. If the hashes match, then the file has been transferred without error. If the hashes do not match, then an error has occurred.

A number of download programs support the 'Digest' header and this behavior already.

2. Users & use cases

Jim downloads LibreOffice but the file doesn't seem to work. Jim contacts the LibreOffice support group and they suggest that Jim manually validates the hash. Jim uses Microsoft Windows, so they tell him to download a small program since nothing comes with the OS to do this. Jim installs the program, and after figuring out how to use it & select the file to hash, figures out that the download is corrupt. He contacts LibreOffice support & they tell him to re-download the file again, and manually check it again until the hash is correct. Jim has an unreliable internet connection, so it isn't until his third try that the download completes without errors.

Janie downloads VLC and as a technical user, she recognizes the SHA-1 hash on the download page: http://get.videolan.org/vlc/2.0.6/macosx/vlc-2.0.6.dmg

"If you have a problem, click here. SHA-1 checksum: 65742a2194185790925a4dcd6105ca27eb3e386a"

As a seasoned Unix user, she knows she may open a terminal and type a command to manually verify that the download completed without errors. Luckily there are no errors, so she uses the file. Janie wishes her browser automatically took care of this for her, even though she knows how to do it.

Behavior with this feature: User initiates a binary file download. A hash is supplied in a 'Digest' header. Once the download completes successfully, Firefox automatically uses the hash to validate the file. If there is an error during transfer, a retry option can be given. If the file is complete and without errors, it can be shown as a typical completed download.

3. Dependencies


4. Requirements




Stage 2: Design

5. Functional specification


6. User experience design


Stage 3: Planning

7. Implementation plan


8. Reviews

Security review


Privacy review


Localization review




Quality Assurance review


Operations review


Stage 4: Development

9. Implementation


Stage 5: Release

10. Landing criteria


Feature details

Priority `
Rank 999
Theme / Goal `
Roadmap `
Secondary roadmap `
Feature list `
Project `
Engineering team `

Team status notes

  status notes
Products ` `
Engineering ` `
Security ` `
Privacy ` `
Localization ` `
Accessibility ` `
Quality assurance ` `
User experience ` `
Product marketing ` `
Operations ` `