- From: Ben Kelly <notifications@github.com>
- Date: Wed, 29 Oct 2025 06:16:01 -0700
- To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/ServiceWorker/issues/1798/3461460871@github.com>
wanderview left a comment (w3c/ServiceWorker#1798) > An issue is that opaque resources can be stored by the Cache API, however we shouldn't reveal anything about opaque resources to JavaScript. If the Cache API supported the No-Vary-Search response header as described, then a malicious site could determine whether or not the header is present, which might reveal information about whether the user is logged in or maybe even what searches they have been doing. Do we expect that No-Vary-Search will be served differently based on user state? It seems likely this is going to be a static header applied based on the type of resource; like cache control headers. Indeed, this is another cache control header. Correct me if I'm wrong, but I think currently http cache honors cache control headers for non-cors subresource requests. Does http cache honor this header for no-cors subresource requests? (I'm guessing yes.). It would seem reasonable to do the same for opaque responses here as well. I agree normally we don't want to reveal any details about opaque responses, but I think the threat model there is actually about variable contents of the response (content, cookies, etc). -- Reply to this email directly or view it on GitHub: https://github.com/w3c/ServiceWorker/issues/1798#issuecomment-3461460871 You are receiving this because you are subscribed to this thread. Message ID: <w3c/ServiceWorker/issues/1798/3461460871@github.com>
Received on Wednesday, 29 October 2025 13:16:05 UTC