- From: Peter Morris <notifications@github.com>
- Date: Sat, 02 May 2020 05:46:03 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Saturday, 2 May 2020 12:46:16 UTC
This will negatively affect CDN for improved site speed, especially for larger resources. This cross-site exploit is only possible for resources for unique URLs. E.g. If I understand correctly, I can check if the user has been to IBM.com by requesting something from that domain and checking it was cached. What if partitioning was default, but servers can specify they are commonly shared resources by returning a header with the resource? Perhaps something like `http-cache-partitioning: none`, where an absence of this header implies `http-cache-partitioning: partitioned`. That way, by default IBM.com won't have this header and its resources will be partitioned, but CDNs for Angular / Bootstrap etc can return the header to indicate the cache should be shared, and will save download times. If multiple sites wanted to conspire to track users across sites then they could maliciously enable this header on a secret resource on their domains, but if they are going to conspire then there are much better ways of tracking users across sites owned by collaborators - such as exchanging IP addresses with each other. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/424#issuecomment-622948216
Received on Saturday, 2 May 2020 12:46:16 UTC