W3C home > Mailing lists > Public > public-web-perf@w3.org > July 2014

Re: cache hints and preresolutions

From: Ilya Grigorik <igrigorik@google.com>
Date: Mon, 7 Jul 2014 14:33:20 -0700
Message-ID: <CADXXVKpFLD3NfmFMZvM2baDJ3TD9SopYSWD-VLK57x2FSWA3qg@mail.gmail.com>
To: Peter L <bizzbyster@gmail.com>
Cc: Yoav Weiss <yoav@yoav.ws>, "public-web-perf@w3.org" <public-web-perf@w3.org>
On Mon, Jul 7, 2014 at 1:50 PM, Peter L <bizzbyster@gmail.com> wrote:

> I don't understand what you mean. The point I'm making is that we can't
> push the jquery javascript resource used in your subresource example here:
> https://code.google.com/p/chromium/issues/detail?id=312327. Push is only
> for same origin sub- resources, which means its potential impact on
> improving concurrency is much lower than hints. See this blog post for
> further argument on the importance of prefetching non same domain
> resources:
> http://caffeinatetheweb.com/what-makes-the-web-great-also-makes-it-slow/.
>

Say I've included "thirdparty.com/widget.js" on my site. Said third party
keeps a low TTL (60m) such that they can push quick updates, security
patches, and so on. In fact, such update is in the process of being rolled
out.. except, a malicious proxy comes along and embeds an "integrity" hint
on behalf of the third party leading the client to believe that the (bad /
outdated) script in its cache is, in fact, valid and good... Not a happy
outcome and reason why the proxy should not be allowed to push on behalf of
third parties, or claim things about the integrity of cached third-party
resources. If you want to address this, you should host the third party
resources on the same origin.

ig
Received on Monday, 7 July 2014 21:34:28 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:04:39 UTC