HTTP Gateway Validator
Opened this issue · 0 comments
lidel commented
AKA checksuming payload as it arrives from untrusted gateway
and checking if it match expected CID
Context
See Verifiable HTTP Gateway Responses at ipfs/in-web-browsers#128
Work
- research if/how we could calculate checksum as data arrives
- Only Firefox supports webRequest.filterResponseData() API, so it could be Firefox-only feature for now.
- research how we resolve CID of resources under a path and get insight into DAG structure
- A: additional lookup via local js-ipfs used only for that or fallback on
http://ipfs.io/api/v0/ - B: additional HTTP headers with required metadata
- A: additional lookup via local js-ipfs used only for that or fallback on
- research and design UX for indicating the payload is verified
- implement streaming validator that drops connection if payload does not match expected digest
Related Resources
- Prior art from Cloudflare: https://github.com/cloudflare/ipfs-ext/
- it also has DNSSEC validator, but that should be a separate topic
- limitation: only SHA-256 is supported in CIDs
- If browser is able to verify CID digest, it will be possible to define public, untrusted gateway as the backend without need for trusting it returns valid data
- Reproducible File Imports | ipld/legacy-unixfs-v2#15