Re: dont-revalidate Cache-Control header

Martin Thomson <martin.thomson@gmail.com> Thu, 16 July 2015 18:04 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 966F01B2B1C for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 16 Jul 2015 11:04:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.012
X-Spam-Level:
X-Spam-Status: No, score=-7.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MYF1k07EFNPg for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 16 Jul 2015 11:04:07 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 996C01B2AED for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 16 Jul 2015 11:04:07 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1ZFnTZ-00013Y-VM for ietf-http-wg-dist@listhub.w3.org; Thu, 16 Jul 2015 18:01:42 +0000
Resent-Date: Thu, 16 Jul 2015 18:01:41 +0000
Resent-Message-Id: <E1ZFnTZ-00013Y-VM@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <martin.thomson@gmail.com>) id 1ZFnTU-00012n-Q3 for ietf-http-wg@listhub.w3.org; Thu, 16 Jul 2015 18:01:36 +0000
Received: from mail-yk0-f178.google.com ([209.85.160.178]) by lisa.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <martin.thomson@gmail.com>) id 1ZFnTT-0005B6-P7 for ietf-http-wg@w3.org; Thu, 16 Jul 2015 18:01:36 +0000
Received: by ykdu72 with SMTP id u72so70574998ykd.2 for <ietf-http-wg@w3.org>; Thu, 16 Jul 2015 11:01:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=TyKPz+5l+7FiNm9a6DOV6G8VV4XbB8lbb/m01X2/wyE=; b=kABIWb0BOtqXI4Lml6sZVi1GnylHUiR2kfZBUH7iDnLGs7jY0RLhRhPFteicLatUBX pc4q/XvbZnmUEmIOIRV+B/iwt9fi/C+S9QrsYlxRUY7zSPmIaDHqYBEf6n7cnANHr0fy hWlQSZDyeh8WiZEAO3po89UL6y3ghxnmYni3Wx/EAsX7dyRNHId2L30Y1hwHbafGEabo 8ywLLGRz608+yYKVpwc2wpxcdTKnSQWYm7PJcuCwmHlDHGOJ0A4WjPAz/w+CE4yQTGTS /HLZCtzITJ5/Ns1zHI7icfQqiyJdKGxBQin3sDKL85E9d2FtfEWSFqTaExuecvlqVHiX E6cQ==
MIME-Version: 1.0
X-Received: by 10.170.160.4 with SMTP id b4mr11267413ykd.26.1437069670003; Thu, 16 Jul 2015 11:01:10 -0700 (PDT)
Received: by 10.129.110.138 with HTTP; Thu, 16 Jul 2015 11:01:09 -0700 (PDT)
In-Reply-To: <CAMSE37vmBJYkiC+c5+aMqWUvLtY4zOHDbhEJkm=K+=KbTyOO2A@mail.gmail.com>
References: <CABgOVaLHBb4zcgvO4NUUmAzUjNkocBGYY3atFA9iuYyoLaLQsA@mail.gmail.com> <559F9E90.4020801@treenet.co.nz> <CABgOVaLG6QZyjqk2AGYupShST_u3ty9BpxUcPX+_yMEC1hyHAQ@mail.gmail.com> <961203FE-7E54-410F-923E-71C04914CD2E@mnot.net> <CABgOVaJxntEyT0v4GvWm0Qi9jbUPEnzxJgg4KyQSM1T_gN1mjQ@mail.gmail.com> <16407353-5C34-42E8-81A6-E0027EC3A0D0@mnot.net> <CABgOVa+C48yYp-ZkawY+Ho6pXONa_UfB0MVt_2+d0ejyESu2Pw@mail.gmail.com> <54973543-2406-4188-8DCD-AE3C85ACB76A@mnot.net> <CABgOVa+CrJ0qBGN-nBYZ2qpJo8X+wkYY-zYAqM6MjTom1QT+Bw@mail.gmail.com> <55A7A4F9.1010500@treenet.co.nz> <CABgOVaLnpnmd7JvY6O=tXXboVuvCCn-p1KLzu8wKVkg-yon79w@mail.gmail.com> <CAMSE37vmBJYkiC+c5+aMqWUvLtY4zOHDbhEJkm=K+=KbTyOO2A@mail.gmail.com>
Date: Thu, 16 Jul 2015 11:01:09 -0700
Message-ID: <CABkgnnXNAZdXUx_htq2owyP2CtyM-ERzZdbxM8WGWLrCeNQOaQ@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Guille -bisho- <bishillo@gmail.com>
Cc: Ben Maurer <ben.maurer@gmail.com>, Amos Jeffries <squid3@treenet.co.nz>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Received-SPF: pass client-ip=209.85.160.178; envelope-from=martin.thomson@gmail.com; helo=mail-yk0-f178.google.com
X-W3C-Hub-Spam-Status: No, score=-6.4
X-W3C-Hub-Spam-Report: AWL=0.344, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1ZFnTT-0005B6-P7 8603c875945f4c1f83b9759f85045589
X-Original-To: ietf-http-wg@w3.org
Subject: Re: dont-revalidate Cache-Control header
Archived-At: <http://www.w3.org/mid/CABkgnnXNAZdXUx_htq2owyP2CtyM-ERzZdbxM8WGWLrCeNQOaQ@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/29976
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 16 July 2015 at 10:38, Guille -bisho- <bishillo@gmail.com> wrote:
> The risk is still the typical ga.js url embedded in all websites. If a
> bug/hack makes that static, you will need to ask all site owners to go and
> change the url to something else, which will take ages.

Shift-reload is a tool we provide our users to get around this class of problem.

Also, we like to engineer security systems that don't have a
point-in-time compromises of a system resulting in a persistent
attack.

Maybe we should look for alternatives.  If Facebook wanted to
construct a service worker that handled fetch events for "static"
resources and manage its own cache, we can't really stop that from
happening.  We can't stop you from blocking your own requests after
all.

Note that this wouldn't work if the resources were requested by
another origin unless you want to support foreign fetch events for
service workers.