[rgbrenner]

No. Do you understand the attack I'm referring to?

(Legitimate) Site A sends file a.com/image.png w/ a hash.

(Attacker) Site B sends file b.com/image.png w/ identical hash. If no request is made for b.com/image.png, the attacker knows the visitor has gone to Site A.

[smilliken]

To clarify: the hash for the sensitive resource can be salted, making the hash unique and avoiding de-duplication. For non-sensitive resources, eg jquery.js, we can use an unsalted hash and get de-duplication.

Another benefit of identify resources by their hash is that we don't need to request them from a specific host. Instead, you can get them from any CDN that has a matching resource.