On Fri, Mar 16, 2018 at 12:23 PM, Mike Samuel <[email protected]> wrote: > > > On Fri, Mar 16, 2018 at 11:38 AM, C. Scott Ananian <[email protected]> > wrote: > >> Canonical JSON is often used to imply a security property: two JSON blobs >> with identical contents are expected to have identical canonical JSON forms >> (and thus identical hashed values). >> > > What does "identical contents" mean in the context of numbers? JSON > intentionally avoids specifying any precision for numbers. > > JSON.stringify(1/3) === '0.3333333333333333' > > What would happen with JSON from systems that allow higher precision? > I.e., what would (JSON.canonicalize(JSON.stringify(1/3) + '3')) produce? > > However, unicode normalization allows multiple representations of "the >> same" string, which defeats this security property. Depending on your >> implementation language >> > > We shouldn't normalize unicode in strings that contain packed binary > data. JSON strings are strings of UTF-16 code-units, not Unicode scalar > values and any system that assumes the latter will break often. >
Both of these points are made on the URL I originally cited: http://wiki.laptop.org/go/Canonical_JSON --scott
_______________________________________________ es-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es-discuss
