- From: sleevi <notifications@github.com>
- Date: Wed, 08 Mar 2017 07:35:43 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/307/285074305@github.com>
@annevk When you state "responsible setup" are you suggesting on the user agent or the server? As @jakearchibald and @igrigorik know, there's a non-trivial amount of developer pain caused simply by the inability to reuse the same sockets due to the separation - not ideal, but perhaps a necessary evil relative to the risks to privacy or security. However, I'm having a difficult time understanding and articulating the risks here for this, especially compared to the developer pain it can/will no doubt induce, and that makes it difficult for me to find other folks on the Chrome team to engage on this issue, so I'm trying to make sure I understand. I'm trying to understand if this is conceptually different in risk scenarios to a site having a lax CSP policy or XSSing itself. The knob to control things - A-C-A-O - is being turned up to 11, and that's on the site operator. Personally, I'm fairly against the notion that we would need to differentiate on credentials, because I'm trying to see how/why using that logic we wouldn't end up with trying to vary the cache with every client certificate used - that is, if you use CC A, it can't use the cache for resources obtained with CC B. For some usages, that would 'effectively' disable meaningful caching if the client cert rotates on a frequent basis (e.g. 8 hours). -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/307#issuecomment-285074305
Received on Wednesday, 8 March 2017 15:36:18 UTC