- From: Mark Nottingham <mnot@mnot.net>
- Date: Wed, 2 Aug 2017 05:55:37 +1000
- To: "Martin J. Dürst" <duerst@it.aoyama.ac.jp>
- Cc: Mirja Kühlewind <ietf@kuehlewind.net>, The IESG <iesg@ietf.org>, draft-ietf-httpbis-early-hints@ietf.org, httpbis-chairs@ietf.org, HTTP Working Group <ietf-http-wg@w3.org>
> On 1 Aug 2017, at 8:15 pm, Martin J. Dürst <duerst@it.aoyama.ac.jp> wrote: > > Mirja seems to be worried more about DOS-like attacks on resources (client storage, processing power, and network bandwidth). In usual operation, a web client can always decide just to not download some stuff. But with pushes,..., the client at least has to be more actively watchful, and a note to that effect may help. > (In colloquial terms, it's the difference between "we'll only ever send you what you asked for explicitly" and "we'll send you whatever we think you may need or want; you can always say no if you don't".) The counterargument is that push is a direct replacement for inlining the content directly, and offers the client *better* control compared to it. Regardless, this particular issue isn't about push, it's about giving link hints to the client, which the client does have control over. The actual specs for those hints already have specific security considerations, e.g., <https://w3c.github.io/preload/#privacy>. Cheers, -- Mark Nottingham https://www.mnot.net/
Received on Tuesday, 1 August 2017 19:56:08 UTC