> > > - If a page adds the header by mistake, can easily remove it. > > Who do you mean by "you" in this statement? The domain owner. Imagine www.foo.com adds a header by mistake to not revalidate from domain not-static.foo.com. If it's a mistake, they can remove the header easily, and not-static.foo.com will have revalidations again. The static behavior can be revoked with ease. > > > - A page can't self-reference their domain, so no risk of bricking > yourself. > > But as proposed you would be able to pin index.html. So I don't get > this either. > No if we don't allow self-reference. www.foo.com can only disable revalidations on other *different* domains and those are effective for sub-resources only, no direct page navigations. Imagine page a.com tries to use maliciously b.com/index.html as a subresouce and request not revalidation. If b.com/index.html has a cache control header, it will be obeyed, and client reloads on a.com won't cause revalidation of b.com/index.html. But people browsing to b.com/index.html will have the normal behavior, revalidations and so on. So this will be simply let page-owner define what other domains are used for static resources and should not be revalidated. The subresources still need the usual ttls and cache headers. And direct browsing to the subresources won't follow the non-revalidation policies. It's exactly what facebook (and others need). Define the reload behavior, but rather than doing it in the sub-resources, specify the behavior on the hosting page directly. -- Guille -ℬḭṩḩø- <bishillo@gmail.com> :wq
Received on Thursday, 16 July 2015 20:03:52 UTC