- From: <bugzilla@jessica.w3.org>
- Date: Wed, 06 Feb 2013 21:53:56 +0000
- To: public-html-bugzilla@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=20789 --- Comment #12 from estark@mit.edu --- I agree with Victor's comments and also wanted to emphasize that neither of the two controversies in bug 11402 seem to apply here: 1.) The cache poisoning attack doesn't seem to be relevant even to bug 11402, since the attack can only be carried out successfully if the browser fails to verify the hash before caching the script, which would be a major implementation error in the browser. 2.) In this proposal, the digest attribute does not affect the browser's caching behavior, so the bitrot problem mentioned in bug 11402 would not apply to the proposed digest hash. If a developer updates a library and forgets to update some script tag's digest attribute, then the bug will show up for all users, and its manifestation won't depend on the state of a user's cache as in bug 11402. In practice, libraries hosted on CDNs often include version numbers in the filenames anyway (e.g. http://code.jquery.com/jquery-1.9.1.min.js) so script tags already have to be updated when new versions are pushed. -- You are receiving this mail because: You are the QA Contact for the bug.
Received on Wednesday, 6 February 2013 21:54:02 UTC