W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2014

Re: [whatwg] Fetch Objects and scripts/stylesheets

From: Ben Maurer <ben.maurer@gmail.com>
Date: Tue, 29 Jul 2014 08:22:53 -0700
Message-ID: <CABgOVaLO_7mkaA35JyDqu2hzYq+-p3sXEOAQGuV-d+8rEbE0Aw@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: "whatwg@lists.whatwg.org" <whatwg@lists.whatwg.org>, Boris Zbarsky <bzbarsky@mit.edu>, Ian Hickson <ian@hixie.ch>, William Chan (ι™ˆζ™Ίζ˜Œ) <willchan@chromium.org>
Another concrete example with <img> tags: sometimes an abusive user will
use a site like Facebook as a CDN -- they'll upload a picture and hotlink
it from elsewhere. We could insert a time-stamped authentication token as a
custom header. Today we sometimes do this via the query string -- giving
the user a token that lasts for a few days. This means we bust the user's
cache every time we rotate the token. With a custom header, the browser
cache stays in tact.

Images would also be a great example of where logging headers could be
extremely helpful. For example, we could log what module within a page
rendered an image and monitor bandwidth usage and CDN cache hit rate on a
per module basis. In the past it's taken us a long time to debug issues
that could easily be found with this method.

On Mon, Jul 28, 2014 at 11:51 PM, Anne van Kesteren <annevk@annevk.nl>

> On Mon, Jul 28, 2014 at 8:34 PM, Ian Hickson <ian@hixie.ch> wrote:
> > What's the use case here? Why are we trying to send custom headers on a
> > <link>?
> E.g. for <img> and such you want to turn authentication dialogs off.
> Cross-origin images can be fine, but not if they start spawning
> confusing dialogs to users making them leak passwords.
> --
> http://annevankesteren.nl/
Received on Tuesday, 29 July 2014 15:23:38 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:22 UTC