- From: Ben Maurer <ben.maurer@gmail.com>
- Date: Tue, 29 Jul 2014 08:22:53 -0700
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: "whatwg@lists.whatwg.org" <whatwg@lists.whatwg.org>, Boris Zbarsky <bzbarsky@mit.edu>, Ian Hickson <ian@hixie.ch>, William Chan (ιζΊζ) <willchan@chromium.org>
Another concrete example with <img> tags: sometimes an abusive user will use a site like Facebook as a CDN -- they'll upload a picture and hotlink it from elsewhere. We could insert a time-stamped authentication token as a custom header. Today we sometimes do this via the query string -- giving the user a token that lasts for a few days. This means we bust the user's cache every time we rotate the token. With a custom header, the browser cache stays in tact. Images would also be a great example of where logging headers could be extremely helpful. For example, we could log what module within a page rendered an image and monitor bandwidth usage and CDN cache hit rate on a per module basis. In the past it's taken us a long time to debug issues that could easily be found with this method. On Mon, Jul 28, 2014 at 11:51 PM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Mon, Jul 28, 2014 at 8:34 PM, Ian Hickson <ian@hixie.ch> wrote: > > What's the use case here? Why are we trying to send custom headers on a > > <link>? > > E.g. for <img> and such you want to turn authentication dialogs off. > Cross-origin images can be fine, but not if they start spawning > confusing dialogs to users making them leak passwords. > > > -- > http://annevankesteren.nl/ >
Received on Tuesday, 29 July 2014 15:23:38 UTC