- From: Ilya Grigorik <igrigorik@google.com>
- Date: Mon, 7 Jul 2014 14:33:20 -0700
- To: Peter L <bizzbyster@gmail.com>
- Cc: Yoav Weiss <yoav@yoav.ws>, "public-web-perf@w3.org" <public-web-perf@w3.org>
Received on Monday, 7 July 2014 21:34:28 UTC
On Mon, Jul 7, 2014 at 1:50 PM, Peter L <bizzbyster@gmail.com> wrote: > I don't understand what you mean. The point I'm making is that we can't > push the jquery javascript resource used in your subresource example here: > https://code.google.com/p/chromium/issues/detail?id=312327. Push is only > for same origin sub- resources, which means its potential impact on > improving concurrency is much lower than hints. See this blog post for > further argument on the importance of prefetching non same domain > resources: > http://caffeinatetheweb.com/what-makes-the-web-great-also-makes-it-slow/. > Say I've included "thirdparty.com/widget.js" on my site. Said third party keeps a low TTL (60m) such that they can push quick updates, security patches, and so on. In fact, such update is in the process of being rolled out.. except, a malicious proxy comes along and embeds an "integrity" hint on behalf of the third party leading the client to believe that the (bad / outdated) script in its cache is, in fact, valid and good... Not a happy outcome and reason why the proxy should not be allowed to push on behalf of third parties, or claim things about the integrity of cached third-party resources. If you want to address this, you should host the third party resources on the same origin. ig
Received on Monday, 7 July 2014 21:34:28 UTC