- From: Mark Nottingham <mnot@mnot.net>
- Date: Tue, 1 Aug 2017 09:39:51 +1000
- To: Mirja Kühlewind <ietf@kuehlewind.net>
- Cc: The IESG <iesg@ietf.org>, draft-ietf-httpbis-early-hints@ietf.org, httpbis-chairs@ietf.org, HTTP Working Group <ietf-http-wg@w3.org>
> On 31 Jul 2017, at 11:06 pm, Mirja Kühlewind <ietf@kuehlewind.net> wrote: > > Not sure if this should be part of the security consideration but isn't there > also a higher risk of loading resources unnecessarily if the finale response > turns out to not need these resources? Could that be even used somehow as an > attack? The general thinking here is that in terms of risk, preload and server push are no different than "normal" Web operations -- the server already has the ability to push arbitrary bits at the client, get it to make other requests, etc. Because pushes and preloads are modelled as client requests, they're already within the web security model. Cheers, -- Mark Nottingham https://www.mnot.net/
Received on Monday, 31 July 2017 23:40:26 UTC