- From: Mark Nottingham <notifications@github.com>
- Date: Thu, 23 Feb 2017 22:48:56 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 24 February 2017 06:49:28 UTC
Back to the issue of what the purpose behind NOT using the HTTP cache for H2 PUSHed responses -- IIRC (and this is hazy), one concern was that on sites that represent more than one party (e.g., a shared web host), a hostile user could push content into the cache under another user's URLs. However, as was pointed out at the workshop, our malicious user could easily circumvent that by just referencing them from the page that's loaded from the attacking URL; they'll be "used" by that page, and then promoted into the HTTP cache. See also: http://httpwg.org/specs/rfc7540.html#rfc.section.10.4 I think that the browser implementers of H2 did things this way out of an abundance of caution, but the feeling at the workshop was that we could probably move past this now. @mcmanus @martinthomson anything to add? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/354#issuecomment-282217972
Received on Friday, 24 February 2017 06:49:28 UTC