Funnily, an early prototype of the Subresource Integrity specification used that syntax. Everyone hated it so we switched to the current grammar e.g., sha256-base64ofdigest. Not sure I remember why we use base64 instead of hexdigest. Maybe to win some bytes?
(Aside: base64 gave us other issues: some browsers accept base64url, some don’t. Some are forgiving with padding, some aren’t)
Rethinking, maybe we took the other grammar for aligning with CSP hash sources (which were only supported for inline scripts back then). My memory is hazy on this.
The “ni” in “ni://” stands for “named information,” for anyone else who’s wondering.
I honestly thought it was a Monty Python reference.
“You must fetch a shrubbery with the following SHA-256 digest…”
Funnily, an early prototype of the Subresource Integrity specification used that syntax. Everyone hated it so we switched to the current grammar e.g., sha256-base64ofdigest. Not sure I remember why we use base64 instead of hexdigest. Maybe to win some bytes?
(Aside: base64 gave us other issues: some browsers accept base64url, some don’t. Some are forgiving with padding, some aren’t)
Everyone hated what, the
ni:///prefix? Otherwise it’s justsha-256-32;<base64url>Rethinking, maybe we took the other grammar for aligning with CSP hash sources (which were only supported for inline scripts back then). My memory is hazy on this.
But no! Surely these are the interesting parts of the NFC.
You forced my hand, binary and human-speakable formats added to the article.
Thank you for your service.
I implemented this in Go a while ago: https://codeberg.org/rumpelsepp/ni
Related: https://lobste.rs/s/o7rmhg/rfc_6920_naming_things_with_hashes_2013