[simonw]

I believe sharing cached code between domains has been almost entirely eliminated by browsers now, because it turned out to be a huge privacy leak: a malicious domain could attempt to load code that was used by another domain, time how long it took to load and use that to determine if the user had visited that other site.

Browsers fixed this by making the browser cache no longer shared between domains.

[catern]

Hm, I wonder if this could be circumvented by doing timing attacks against the CDN cache? That's still shared between domains...

[jakelazaroff]

It is not:

https://developers.google.com/web/updates/2020/10/http-cache...

https://developer.mozilla.org/en-US/docs/Web/Privacy/State_P...

[catern]

That's the cache in the browser, not the cache in the CDN.

[jakelazaroff]

Oh, I see what you’re saying. How could that possibly be exploited for a side channel attack, though? All it would tell an attacker is that someone requested the file before.