- From: Peter Müller <notifications@github.com>
- Date: Mon, 09 May 2016 09:40:07 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc:
- Message-ID: <whatwg/fetch/issues/301@github.com>
When using subresource integrity hashes to verify the content of downloaded script and style assets, could the integrity hash be used as an additional cache identifier with higher priority that the url? Since the SRI specification already defines a way to upgrade to a better hash function in case the used hash algorithm is broken and outdated, it should be safe enough to assume that these hashes can uniquely identify content regardless of URL. In such a cache identifier regime these use cases could result in cache hits: - Visitor has a cached jquery 2.2.3 from [https://cdnjs.cloudflare.com/ajax/libs/jquery/2.2.3/jquery.min.js](https://cdnjs.cloudflare.com/ajax/libs/jquery/3.0.0-beta1/jquery.min.js) and visits a page that use the same version of jquery with the same integrity hash, but from a different CDN provider that the browser hasn't seen yet. The user gets a cache hit. - Visitor has a cached jquery 2.2.3 from [https://cdnjs.cloudflare.com/ajax/libs/jquery/2.2.3/jquery.min.js](https://cdnjs.cloudflare.com/ajax/libs/jquery/3.0.0-beta1/jquery.min.js) and visits a page that use the same version of jquery with the same integrity hash, but from the hosts own domain. The user gets a cache hit. Obviously this makes maintaining the browser cache slightly more complex, as it will need to maintain two indexes for the same content. If this idea gets implemented in the spec it might be beneficial for the browser to always calculate an integrity hash for third party scripts/styles in order to add the hash to the integrity cache. This should then be done in a non-blocking manner when the browser is idle or similar. I don't have any experience with writing specs, and have tried for the last few days to wrap my head around the fetch spec, with limited success. I don't feel capable to write the proposal myself, but I'm hoping some experts can weigh in here and highlight the parts I haven't thought about. --- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/301
Received on Monday, 9 May 2016 16:40:40 UTC