- From: Ryan Sleevi <notifications@github.com>
- Date: Thu, 05 Aug 2021 10:01:15 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 5 August 2021 17:01:27 UTC
> I don't agree that the NPK is purely for privacy. It mitigates a number of XS-Leaks attacks. @annevk To the extent it relates to XS-Leaks, I'm just wanting to confirm: does the full NPK matter to that mitigation, or would it be fully sufficient that `Vary: Cookie, Authorization` would mitigate these (namely, ensuring credentialless vs credentialed requests are separately cached)? My understanding here is that we don't need the full NPK from a security perspective. From a privacy perspective, yes, I do believe NPK fails to achieve privacy goals in the presence of any intermediary, whether it's close to the client or close to the server. We simply don't care as much about those close to the server, simply because we expect we're disclosing to the server that we are or have previously accessed it, so the fact that it learns that we're accessing it isn't that interesting. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1253#issuecomment-893616680
Received on Thursday, 5 August 2021 17:01:27 UTC