- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Thu, 16 Jul 2015 11:01:09 -0700
- To: Guille -bisho- <bishillo@gmail.com>
- Cc: Ben Maurer <ben.maurer@gmail.com>, Amos Jeffries <squid3@treenet.co.nz>, HTTP Working Group <ietf-http-wg@w3.org>
On 16 July 2015 at 10:38, Guille -bisho- <bishillo@gmail.com> wrote: > The risk is still the typical ga.js url embedded in all websites. If a > bug/hack makes that static, you will need to ask all site owners to go and > change the url to something else, which will take ages. Shift-reload is a tool we provide our users to get around this class of problem. Also, we like to engineer security systems that don't have a point-in-time compromises of a system resulting in a persistent attack. Maybe we should look for alternatives. If Facebook wanted to construct a service worker that handled fetch events for "static" resources and manage its own cache, we can't really stop that from happening. We can't stop you from blocking your own requests after all. Note that this wouldn't work if the resources were requested by another origin unless you want to support foreign fetch events for service workers.
Received on Thursday, 16 July 2015 18:01:36 UTC