Hacker News new | past | comments | ask | show | jobs | submit login

I think the trouble with both of these plans is that it shifts cognitive load to a lot of people who aren't expert in the topic. How many people would put "shared" on something because it sounds good, or is the default in a template? And even if they don't, how many brain-hours do we have to burn on people understanding the complexity of an optimization that probably doesn't make much difference to the average website?



Isn't the bigger problem that the developer then choses for the user whether to leak information or not?


If the enemy is the developer then you've already lost. Its not like cache sharing is how a developer chooses to unmask your anonymity when browsing between sites; they have cookies to do that in much better ways.

A long time ago PHK wrote some very salient comments about HTTP 2.0 efforts https://varnish-cache.org/docs/trunk/phk/http20.html https://queue.acm.org/detail.cfm?id=2716278 etc. He puts forward the case for a browser-picked client-session-id instead of a server-supplied cookie.


> If the enemy is the developer then you've already lost.

It's not that the developer is the enemy.

Pretend I create a website called "Democratic Underground: how to foster democracy under a repressive regime." I'm naive, or I want it to load quickly, or I accidentally include a framework that is either of those two -- some library versions are cached.

Now, the EvilGov includes cache-detection scripting on its "pay your taxes here" webpage. Despite my salutatory goals, shared caching leaks to the government some subset of my readers.


Yes, precisely this. You can't let web sites "opt in" to tracking users. That's the exact wrong threat model to be using here.


I don’t think it does. I think it shifts the load to CDN maintainers. Which is fine because we just gave them a task to do that avoids obsolescence.

The browsers have always allowed cross domain requests which have been tolerated until now but involved all of us being aware of XSS and CSRF issues, or suffering the consequences.

Removing shared cache is the beginning of the end for cross domain requests by default. The other obvious use these days is ad networks, but they also get used for integrations like SSO and shared services like Apple Pay and presumably PayPal? And other collaborations between companies.

But those could also be opt in.


What if:

a) the origin sharing the resource must place a .well_known/static_resource file in place.

b) The presence of .well_known/static_resource prevents any request on this origin to send cookies, and any set-cookie header is ignored.

c) The document that includes the resource on this sharing origin must use subresource integrity attributes when loading the shared resource.

d) the resource cannot be cached unless the cache-control header is public and has a lifetime of at least 1 hour.

This guarantees that the resource is always requested cookieless, and that the resource can't vary per request, otherwise the subresource integrity check would fail.


Why .well_known/ instead of HTTP headers (possibly on a HEAD request beforehand, like CORS)?


To ensure the entire origin had the same policy. Perhaps that's unnecessary though.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: