[packaging-on-the-web] Is it safe to deploy over plain-text HTTP? (#19) from Yoav Weiss on 2015-01-09 (public-webapps-github@w3.org from January 2015)

From: Yoav Weiss <notifications@github.com>
Date: Fri, 09 Jan 2015 08:36:37 -0800
To: w3ctag/packaging-on-the-web <packaging-on-the-web@noreply.github.com>
Message-ID: <w3ctag/packaging-on-the-web/issues/19@github.com>

Quoting from the document:
> Developers who cannot yet use HTTP/2 may find that using packages can provide performance benefits through reducing numbers of requests

I think there's an assumption here that this file format is safe to deploy over plain-text HTTP (Since TLS is probably the main hurdle to adoption of HTTP/2).

Since this format enables cache population under a certain path, is it not something we know to be safe to use with HTTP? Can't it be abused, beyond the current possible abuse of HTTP cache in MITM scenarios?

I think it'd be good if the document addressed that point.

---
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/packaging-on-the-web/issues/19

Received on Friday, 9 January 2015 16:37:06 UTC