- From: Mark Nottingham <notifications@github.com>
- Date: Wed, 28 Jan 2015 14:43:29 -0800
- To: slightlyoff/ServiceWorker <ServiceWorker@noreply.github.com>
Received on Wednesday, 28 January 2015 22:43:58 UTC
same-origin makes sense if it's a significant attack. I'm not sure it is -- how is this qualitatively different than timing the cache, or just examining the Date in the response (subject to clock skew)? AFAICT the only differences are: * It gives a slightly higher degree of confidence, but any decent heuristics on the timing + response are going to give a very high degree of confidence anyway... * It doesn't allow information about the probing to escape to the server. That's a little more concerning, but OTOH a single request that is the same as any legitimate request -- except that it doesn't happen as part of a page load -- is unlikely to be useful in actually stopping the attack. --- Reply to this email directly or view it on GitHub: https://github.com/slightlyoff/ServiceWorker/issues/585#issuecomment-71932631
Received on Wednesday, 28 January 2015 22:43:58 UTC