- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Tue, 19 Aug 2014 08:06:03 +0200
- To: Nils Dagsson Moskopp <nils@dieweltistgarnichtso.net>
- Cc: "whatwg@lists.whatwg.org" <whatwg@lists.whatwg.org>, Boris Zbarsky <bzbarsky@mit.edu>, Ian Hickson <ian@hixie.ch>, William Chan <willchan@chromium.org>, Ben Maurer <ben.maurer@gmail.com>
On Thu, Aug 14, 2014 at 5:28 PM, Nils Dagsson Moskopp <nils@dieweltistgarnichtso.net> wrote: > Ben Maurer <ben.maurer@gmail.com> writes: >> Another concrete example with <img> tags: sometimes an abusive user will >> use a site like Facebook as a CDN -- they'll upload a picture and hotlink >> it from elsewhere. We could insert a time-stamped authentication token as a >> custom header. Today we sometimes do this via the query string -- giving >> the user a token that lasts for a few days. This means we bust the user's >> cache every time we rotate the token. With a custom header, the browser >> cache stays in tact. > > Why not just check the referer or origin header and act on that? That is not tied to the user. >> Images would also be a great example of where logging headers could be >> extremely helpful. For example, we could log what module within a page >> rendered an image and monitor bandwidth usage and CDN cache hit rate on a >> per module basis. In the past it's taken us a long time to debug issues >> that could easily be found with this method. > > This means more analytics and logging – privacy intrusions justified by > the sheer complexity of systems created by several thousand monkeys on > thousands of electronic typewriters. Incidentally, more fingerprinting. > > I do not see any immediate benefit to the user here. They can get this either way. E.g. the token could be put in the URL as well. Allowing custom headers makes the setup a bit nicer and actually allows developers to use the "strengths" of HTTP. -- http://annevankesteren.nl/
Received on Tuesday, 19 August 2014 06:08:34 UTC