[roller]

Will chrome be using this as a cache hint? It might be an explicit way to signal a change, but the real benefit would be to dedupe every resource on the Internet. If I have a cached resource with a matching sha256, do I really need to make another request?

[rgbrenner]

the real benefit would be to dedupe every resource on the Internet

Hopefully not. Even if we ignore the possibility of hash collisions (since that's not that likely yet with SHA 256).. There's still the issue of cross origin data leakage. Using a known hash and whether a request is made for the resource to tell if a user has visited another website.

This should require a cors header

[smilliken]

A common solution to this problem is salting the sensitive value before it's hashed. Then we can have de-duplication and security.

[rgbrenner]

No. Do you understand the attack I'm referring to?

(Legitimate) Site A sends file a.com/image.png w/ a hash.

(Attacker) Site B sends file b.com/image.png w/ identical hash. If no request is made for b.com/image.png, the attacker knows the visitor has gone to Site A.

[smilliken]

To clarify: the hash for the sensitive resource can be salted, making the hash unique and avoiding de-duplication. For non-sensitive resources, eg jquery.js, we can use an unsalted hash and get de-duplication.

Another benefit of identify resources by their hash is that we don't need to request them from a specific host. Instead, you can get them from any CDN that has a matching resource.