Re: [JSPreflight] - First Draft of JavaScript Preflight Injection online from Reitbauer, Alois on 2013-08-07 (public-web-perf@w3.org from August 2013)

From: Reitbauer, Alois <Alois.Reitbauer@compuware.com>
Date: Wed, 7 Aug 2013 07:17:17 +0000
To: Andy Davies <dajdavies@gmail.com>
CC: "public-web-perf@w3.org" <public-web-perf@w3.org>
Message-ID: <CE27C0F5.23769%alois.reitbauer@compuware.com>

Proxies can do this also today with the HML content. The only way to prevent this type of attacks is to use HTTPS.

I think we need to allow more than one analytics header for the same reason you mentioned. The proposal is to handle this the same way we handle multiple cookies.

// Alois

From: Andy Davies <dajdavies@gmail.com<mailto:dajdavies@gmail.com>>
Date: Friday, August 2, 2013 8:51 PM
To: Alois Reitbauer <alois.reitbauer@compuware.com<mailto:alois.reitbauer@compuware.com>>
Subject: [JSPreflight] - First Draft of JavaScript Preflight Injection online

How will we prevent proxies inserting their own JS using this model?

What happens for sites that use more than one analytics type beacon (it's not that uncommon in my experience), will the header support multiple entires?

Thanks

Andy

The contents of this e-mail are intended for the named addressee only. It contains information that may be confidential. Unless you are the named addressee or an authorized designee, you may not copy or use it, or disclose it to anyone else. If you received it in error please notify us immediately and then destroy it. Compuware Austria GmbH (registration number FN 91482h) is a company registered in Vienna whose registered office is at 1120 Wien, Austria, Am Euro Platz 2 / Geb?ude G.

Received on Wednesday, 7 August 2013 07:17:54 UTC