- From: Brad Hill <hillbrad@gmail.com>
- Date: Fri, 24 Oct 2014 12:03:25 -0700
- To: Mark Nottingham <mnot@mnot.net>
- Cc: Mark Goodwin <mgoodwin@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
> I hesitate to mention it, but an explicit opt-in from the server sending the cached content (e.g., a new Cache-Control directive) would probably do the trick here; presumably it would only be sent on *really* public things (such as common JS libraries). That's pretty much what Access-Control-Allow-Access; * is now. But if you want to track users cross-origin using this mechanism you'll set that, or any other new header we invent, even if the content isn't really public. I'm not saying I'm super concerned about this vector, but I think new headers is just piling on more turtles.
Received on Friday, 24 October 2014 19:03:53 UTC