W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: [integrity] content-addressable cache?

From: Brad Hill <hillbrad@gmail.com>
Date: Fri, 24 Oct 2014 12:03:25 -0700
Message-ID: <CAEeYn8g9JGbvyCHKjmZ2A3-O6CyHvHNM8hgifLWp7DSJLwAONw@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: Mark Goodwin <mgoodwin@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
> I hesitate to mention it, but an explicit opt-in from the server sending the cached content (e.g., a new Cache-Control directive) would probably do the trick here; presumably it would only be sent on *really* public things (such as common JS libraries).

That's pretty much what Access-Control-Allow-Access; * is now.  But if
you want to track users cross-origin using this mechanism you'll set
that, or any other new header we invent, even if the content isn't
really public.  I'm not saying I'm super concerned about this vector,
but I think new headers is just piling on more turtles.
Received on Friday, 24 October 2014 19:03:53 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC