- From: Nils Dagsson Moskopp <nils@dieweltistgarnichtso.net>
- Date: Thu, 14 Aug 2014 17:28:21 +0200
- To: Ben Maurer <ben.maurer@gmail.com>, Anne van Kesteren <annevk@annevk.nl>
- Cc: "whatwg@lists.whatwg.org" <whatwg@lists.whatwg.org>, Boris Zbarsky <bzbarsky@mit.edu>, Ian Hickson <ian@hixie.ch>, William Chan <willchan@chromium.org>
Ben Maurer <ben.maurer@gmail.com> writes: > Another concrete example with <img> tags: sometimes an abusive user will > use a site like Facebook as a CDN -- they'll upload a picture and hotlink > it from elsewhere. We could insert a time-stamped authentication token as a > custom header. Today we sometimes do this via the query string -- giving > the user a token that lasts for a few days. This means we bust the user's > cache every time we rotate the token. With a custom header, the browser > cache stays in tact. Why not just check the referer or origin header and act on that? > Images would also be a great example of where logging headers could be > extremely helpful. For example, we could log what module within a page > rendered an image and monitor bandwidth usage and CDN cache hit rate on a > per module basis. In the past it's taken us a long time to debug issues > that could easily be found with this method. This means more analytics and logging – privacy intrusions justified by the sheer complexity of systems created by several thousand monkeys on thousands of electronic typewriters. Incidentally, more fingerprinting. I do not see any immediate benefit to the user here. -- Nils Dagsson Moskopp // erlehmann <http://dieweltistgarnichtso.net>
Received on Thursday, 14 August 2014 15:29:03 UTC