Lack of cdnjs activity

[jefftk]

Sorry, checking, FF and Chrome don't do it yet, but they will soon: https://www.chromestatus.com/feature/5730772021411840 , https://bugzilla.mozilla.org/show_bug.cgi?id=1536058

[lixtra]

Thanks for the cache partition description. This will make projects like cdnjs less beneficial. The proposed hash:// scheme at least would leave it to the attacked site which resources to expose to such an attack.

Performance vs security trade offs seem to be popping up everywhere recently.

[jefftk]

A "share cache if hashes match" approach was considered with https://developer.mozilla.org/en-US/docs/Web/Security/Subres... but not included in the initial version. There's been talk (https://hillbrad.github.io/sri-addressable-caching/sri-addre... , https://github.com/w3c/webappsec-subresource-integrity/issue...) about allowing sites to opt in, but then you're opening up a new way of tracking users across sites.