Check "gzip" checksum?
ricea opened this issue · 2 comments
Feedback from the Web Performance group at TPAC 2019 indicated that browsers will typically accept gzip input with incorrect checksums. We need to decide what the behaviour will be for DecompressionStream.
GZip uses two checksums, a CRC-32 for the header, and one for the full file in its footer. If the header checksum is incorrect, this can be determined before any of the "body" bytes are returned, but if the footer checksum is incorrect, the streamed data probably has already been consumed by the reader before the mismatch is discovered.
ZLib Deflate uses includes an ADLER32 checksum in the footer.
I decided to verify the checksums by default, and possibly add a "power user" option to turn them off. As you say, the data will most likely have already been consumed by the time the error is detected, but it does at least alert the coder to the possibility of data loss.