Zack Weinberg wrote: > On 2012-02-28 4:06 PM, Brian Smith wrote: > To some extent it *has* to regress performance, because this is a > timing attack: when the attack site tries to iframe something, it > has to *appear* to not be in the cache, even if it is, and that > means delaying the load.
First, we should separate out good vs. bad subresource loads, and common vs. uncommon. I don't think anybody would object to slowing down "bad" loads. But, if you were able to identify them as bad, then why not just block them to start with? Perahps, then, we need to implement features that allow sites to say things like "only allow cross-origin requests for this resource from origins X, Y, Z." That would seem to solve this problem (albeit, only for sites that are proactive about it) and others (e.g. it would prevent some DoS attacks too). Cheers, Brian _______________________________________________ dev-tech-network mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-network
