John Cowan <cowan at ccil.org> writes:
> I don't understand your reasoning there. What does a server learn by
> sending a 21 YOU CAN CACHE or 22 YOU SHOULD NOT CACHE response back
> instead of a plain 20 response? (I'm not a security expert and I know
> there are loopholes I don't see.)
The server operator gets a decent guess at whether the user has visited
the page before (within a reasonable caching window), because if you
sent a 21 YOU CAN CACHE, and they made the request, that means they
hadn't seen it recently. Combine this with query strings, IP addresses,
and/or fragment identifiers, and you can identify individual users, even
users who have refused to set a client certificate when you asked. It's
a pretty minor information leak, since it can't be used for cross-site
tracking. But give techbros an inch, and they'll take a mile.
--
Jason McBrayer | ?Strange is the night where black stars rise,
jmcbray at carcosa.net | and strange moons circle through the skies,
| but stranger still is lost Carcosa.?
| ? Robert W. Chambers,The King in Yellow
---
Previous in thread (54 of 55): 🗣️ John Cowan (cowan (a) ccil.org)