- From: Guille -bisho- <bishillo@gmail.com>
- Date: Wed, 21 May 2014 09:10:20 -0700
- To: Chris Drechsler <chris.drechsler@etit.tu-chemnitz.de>
- Cc: Amos Jeffries <squid3@treenet.co.nz>, ietf-http-wg@w3.org
My 2 cents after reading the draft: Etag and If-None-Match already give a conditional get feature with hash that does not need a reset of the connection. Your proposal adds very little caching for bad practices. Nobody should be using two urls for the same resource, if you need load balancing between two cdns, you should be consistent and js1 always be requested from site1 and js2 from site2. And this is being improved by HTTP2 that will elimitate the need for sharding among domains to overcome limits if parallel requests and head-of-line blocking. The Cache-NT header can only be applied within a domain, and even there is risky. A malicious user could inject malicious content with a Cache-NT header that matches other resource to poison the cache. Even if intermediate caches check the hash, there is still pre-image attacks, won't be hard to find a collision and append malicious code to a js file. With Cache-NT you are only avoiding the transfer of the content, but still incurring in the request to the backend server. Most of the times that is the expensive part, and before you reset the connection the backend would have probably sent you another 8 packets of information (the recommended initcwnd is 9 by this days). If the request should be cached, better get the provider to configure cache properly to avoid doing the request altogether than this oportunistic but dangerous way of avoiding some extra transfers over the wire. Guille -bisho- <bisho@freedreams.org|fb.com> :wq
Received on Wednesday, 21 May 2014 16:11:09 UTC