Open josephrocca opened 1 year ago
There's a long thread about shared caches on https://github.com/w3c/webappsec-subresource-integrity/issues/22. That's kind of the canonical issue on this.
Apart from running script, there's also networking side channels, timing APIs, and probably some more things to consider.
I'm almost certainly missing something here, and I'm not sure if this is the best venue to ask a question like this (I considered SO - seems off-topic), but:
I'm wondering if it's possible to allow web devs to add some sort of declaration to their
<head>
which basically says "don't start running scripts on the page until these resources have been preloaded", such that the page's scripts can never extract information based on the load timing of those resources, because from the script's perspective, they always load instantly.This obviously wouldn't cover all use cases where caching is important, but it seems like there would be quite a few cases where this would be useful. And it seems like it aligns with the emerging paradigm where scripts aren't actually loaded initially - i.e. server rendering + some sort of eventual 'hydration'.
My only guess here is that there's a lot of implementation complexity in preventing scripts from running like this? Relative to the predicted benefits of something like this, I mean.