[michaelt]

While this particular implementation doesn't track individuals, couldn't your trivially start tracking individuals by sending them unique random times like last-modified: 12 Mar 1978 12:34:56 GMT thereby giving them a ~30 bit unique identifier for as long as the file is cached?

[pwdisswordfish0]

Only if you disregard the amount of latitude that the semantics of these headers give to UAs that would effectively thwart this method of tracking.

If I fetch your /foo.html today in November 2022, and you send me a last-modified from 1978, that gives me and my UA a huge range from which to select a different datetime (anywhere between the 1978 value and now-ish) on my next request. How are you going to correlate my original and subsequent requests if in the latter I ask if you've got a copy that's been modified since 1999?

[marshray]

Sure, a UA could do a whole lot of things to resist fingerprinting.

But users go to the web with the browser they've been given.

Apple, famously, forbids its users to speak HTTP with anything else on iOS.

[pwdisswordfish0]

Context is important. The replied-to comment starts off, "While this particular implementation doesn't track individuals, couldn't your trivially start tracking individuals by[...]"

An acceptable response, then (to both you and the original commenter), follows: "While some particular browser version doesn't currently protect individuals from that proposed form of tracking, any browser vendor could trivially start thwarting that form of tracking by exploiting the latitude afforded to UAs by the semantics of these headers." And that's the form that the previous comment takes and how it should be understood. The fact that "users go to the web with the browser they've been given [i.e., today, and which isn't providing this sort of tracking protection]" doesn't change anything; we are explicitly talking about steps that each side _can_ take in the arms race related to the subject of this discussion...