W3C home > Mailing lists > Public > whatwg@whatwg.org > August 2014

Re: [whatwg] Fetch Objects and scripts/stylesheets

From: Nils Dagsson Moskopp <nils@dieweltistgarnichtso.net>
Date: Thu, 14 Aug 2014 17:28:21 +0200
To: Ben Maurer <ben.maurer@gmail.com>, Anne van Kesteren <annevk@annevk.nl>
Message-ID: <87ppg3t7je.fsf@dieweltistgarnichtso.net>
Cc: "whatwg@lists.whatwg.org" <whatwg@lists.whatwg.org>, Boris Zbarsky <bzbarsky@mit.edu>, Ian Hickson <ian@hixie.ch>, William Chan <willchan@chromium.org>
Ben Maurer <ben.maurer@gmail.com> writes:

> Another concrete example with <img> tags: sometimes an abusive user will
> use a site like Facebook as a CDN -- they'll upload a picture and hotlink
> it from elsewhere. We could insert a time-stamped authentication token as a
> custom header. Today we sometimes do this via the query string -- giving
> the user a token that lasts for a few days. This means we bust the user's
> cache every time we rotate the token. With a custom header, the browser
> cache stays in tact.

Why not just check the referer or origin header and act on that?

> Images would also be a great example of where logging headers could be
> extremely helpful. For example, we could log what module within a page
> rendered an image and monitor bandwidth usage and CDN cache hit rate on a
> per module basis. In the past it's taken us a long time to debug issues
> that could easily be found with this method.

This means more analytics and logging – privacy intrusions justified by
the sheer complexity of systems created by several thousand monkeys on
thousands of electronic typewriters. Incidentally, more fingerprinting.

I do not see any immediate benefit to the user here.

Nils Dagsson Moskopp // erlehmann
Received on Thursday, 14 August 2014 15:29:03 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:22 UTC