Re: [w3c/ServiceWorker] Support No-Vary-Search header in Cache API (Issue #1798) from Adam Rice on 2025-10-28 (public-webapps-github@w3.org from October 2025)

From: Adam Rice <notifications@github.com>
Date: Mon, 27 Oct 2025 17:43:58 -0700
To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/ServiceWorker/issues/1798/3453950052@github.com>

ricea left a comment (w3c/ServiceWorker#1798)

An issue is that opaque resources can be stored by the Cache API, however we shouldn't reveal anything about opaque resources to JavaScript. If the Cache API supported the No-Vary-Search response header as described, then a malicious site could determine whether or not the header is present, which might reveal information about whether the user is logged in or maybe even what searches they have been doing.

One mitigation would be to only support "Fully explicit" mode, and require JavaScript to explicitly specify the header value to use.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/issues/1798#issuecomment-3453950052
You are receiving this because you are subscribed to this thread.

Message ID: <w3c/ServiceWorker/issues/1798/3453950052@github.com>

Received on Tuesday, 28 October 2025 00:44:02 UTC