[fetch] Cache mode: security review (#39)

It seems to some extent the new cache mode feature can be emulated using timing information. However, it is unclear whether that is sufficient justification to expose the information with more certainty.

Sharing whether the user has an entry in its HTTP cache does allow for fingerprinting and figuring out what sites a user visits. (Note that CORS doesn't really change this as far as I can tell.)

---
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/39

Received on Sunday, 5 April 2015 11:44:23 UTC