Zstandard, or “zstd”, is a data compression mechanism described in RFC8878. It is a fast lossless compression algorithm, targeting real-time compression scenarios at zlib-level and better compression ratios. The "zstd" token was added as an IANA-registered Content-Encoding token as per https://datatracker.ietf.org/doc/html/rfc8878#name-content-encoding. Adding support for "zstd" as a Content-Encoding will help load pages faster and use less bandwidth.
Servers that have a broken implementation of zstd might exist, but the risk of this is small. Additionally, middleware and middleboxes like virus checkers that intercept HTTPS connections might not support zstd, but might fail to remove it from the Accept-Encoding header in the request.
CRIME and BREACH mean that the resource being compressed can be considered readable by the document deploying them. That is bad if any of them contains information that the document cannot already obtain by other means. An attacker may provide correctly formed compressed frames with unreasonable memory requirements, and dictionaries may interact unexpectedly with a decoder, leading to possible memory or other resource-exhaustion attacks. It is possible to store arbitrary user metadata in skippable frames, so they can be used as a watermark to track the path of the compressed payload. It is important to note that these concerns apply to all compression formats, not just zstd.
To mitigate these risks, similar to Brotli, we'll be advertising support for "zstd" encoding only if transferred data is opaque to proxy, to ensure that resources don't contain private data that the origin cannot read otherwise.
Adding zstd to Chromium adds a large new code surface that processes untrusted data, which inevitably brings risks of new security holes. However, this is mitigated by the extensive fuzzing and security analysis done on zstd by Google and other community members.
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
No special support needed. Zstd content-encoding support will be exposed to the devtools protocol, so developers are able to override it and view the headers from the inspector.
Shipping on desktop | 117 |
Shipping on Android | 117 |
Shipping on WebView | 117 |
Can you clarify the proposed experiment (presumably N% of
stable?) and the desired milestones? Thanks!
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAMZNYANR%3DisgShRGxHQMgn-2W1%2BteA81AtyRu14v7s_kk2C90Q%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAMZNYANXMaVdvHKvgswVQpZKe3%2BE-mknMi%2B8X6kKpq%2BbZZfUig%40mail.gmail.com.