W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2015

Re: [REFERRER] updating referrer policy and request caching

From: Nottingham, Mark <mnotting@akamai.com>
Date: Tue, 16 Jun 2015 02:41:07 +0000
To: Franziskus Kiefer <fkiefer@mozilla.com>
CC: public-webappsec <public-webappsec@w3.org>
Message-ID: <AE4CCC55-59DF-45CC-A42F-64CFC3720C97@akamai.com>
Hi,

> On 15 Jun 2015, at 1:26 pm, Franziskus Kiefer <fkiefer@mozilla.com> wrote:
> 
> 2) A different problem regarding referrer policies is with respect to request chaching. It essentially boils down to the following question: Are requests that are identical except for their referrer policy supposed to be reused or not?
> Consider the following scenario:
> Assume we have multiple identical images on a website with different referrer policies. Being strict the image would have to be loaded multiple times in order to honour the referrer policies. However, this creates unnecessary traffic and does not increase privacy as the full referrer is probably sent out for one of the requests anyway. Querying the image only once on the other hand might lead to displaying a wrong image in case the response depends on the referrer..

If the response depends on the referer, all responses for that resource should carry a Vary header that says so.
  http://httpwg.github.io/specs/rfc7231.html#header.vary
  http://httpwg.github.io/specs/rfc7234.html#caching.negotiated.responses

Cheers,

--
Mark Nottingham    mnot@akamai.com    https://www.mnot.net/
Received on Tuesday, 16 June 2015 02:41:39 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC