- From: Jake Archibald <notifications@github.com>
- Date: Tue, 20 Sep 2016 03:28:20 -0700
- To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
Received on Tuesday, 20 September 2016 10:28:48 UTC
HEIST chat:
* Could cross origin resources count against the other origin's quota?
* But what about persistent storage?
* What about clearing out the origin?
* What about "bombing" another origin's storage usage?
* Could assign "blame" for individual requests
* Does padding already solve this?
* Advert iframes want to display credentialed content, but the load event is potentially a privacy leak through timing
Resolution:
* Investigate Mike's suggestion above
* Continue with the bucketing solution with storage - if it works out propose it for the spec
* HEIST continues to be a problem - should it be mitigated at on an API per API level, or opt-in via same-site cookies
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/issues/974#issuecomment-248263166
Received on Tuesday, 20 September 2016 10:28:48 UTC