- From: Ryan Sleevi <notifications@github.com>
- Date: Fri, 06 Aug 2021 04:05:30 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 6 August 2021 11:05:43 UTC
If the fact that two different users of B are supposed to be idempotent of eachother, B should express that (e.g. the resources should not be credentialless). I think we’re in agreement that there’s a probing attack here, but that doesn’t seem related to NPK, at its core. For example, if B was credentialed with `Vary: Cookie`, then the NPK wouldn’t matter at all: even under the same-meat-user case, A’s cookie jar for B would be different than C’s cookie jar for B, leading to different cookies, leading to different cache entries for B-in-A and B-in-C. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1253#issuecomment-894184137
Received on Friday, 6 August 2021 11:05:43 UTC