Privacy-preserving single-keyed cache via declarative preloading #9365
Labels
addition/proposal
New features or enhancements
needs implementer interest
Moving the issue forward requires implementers to express interest
Comments
domenic
added
addition/proposal
|
There's a long thread about shared caches on w3c/webappsec-subresource-integrity#22. That's kind of the canonical issue on this. Apart from running script, there's also networking side channels, timing APIs, and probably some more things to consider. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm almost certainly missing something here, and I'm not sure if this is the best venue to ask a question like this (I considered SO - seems off-topic), but:
I'm wondering if it's possible to allow web devs to add some sort of declaration to their
<head>which basically says "don't start running scripts on the page until these resources have been preloaded", such that the page's scripts can never extract information based on the load timing of those resources, because from the script's perspective, they always load instantly.This obviously wouldn't cover all use cases where caching is important, but it seems like there would be quite a few cases where this would be useful. And it seems like it aligns with the emerging paradigm where scripts aren't actually loaded initially - i.e. server rendering + some sort of eventual 'hydration'.
My only guess here is that there's a lot of implementation complexity in preventing scripts from running like this? Relative to the predicted benefits of something like this, I mean.
The text was updated successfully, but these errors were encountered: