check etag caching on the client rather than trusting the server

HTTP server's etags have been shown to be a technique that servers can easily track clients. The server can choose an etag to represent a user, then when the client comes back and presents the same etag, the server knows its the same user. To fix this, the client should do the etag checking.

Proposed solution: Make a HEAD request first and compare the etag with the stored one. If it does not match, then send the GET request, but without If-none-match header. This gives the server only one try to guess the etag.

See: http://lucb1e.com/rp/cookielesscookies/

Ha, interesting. Perhaps add the security label?

Added ~18502 label

I have seen this come up before, but can't seem to find an original issue relating to it. Should be a relatively straight forward fix to implement it as you have proposed.

Milestone changed to %1.1

Added help-wanted label

Mentioned in issue #785

Mentioned in issue #777 (closed)

Reassigned to @eighthave

Milestone changed to %0.103 - UX Overhaul

One thing to also check is that the icon downloading is also not sending etags to the server.

mentioned in merge request !436 (closed)

removed help-wanted label

assigned to @pserwylo

changed milestone to %1.1

As per our discussion in the scrum, happy for this to get fixed + merged whenever it happens, specifically via your 2e694158 commit. However I'm removing from the %0.103 - UX Overhaul to clean up that milestone and make it easier to pin down what must be done as part of that milestone.

removed assignee

changed milestone to %1.0-alpha2

mentioned in merge request !574 (merged)

I reworked 2e694158 into !574 (merged), so I'm closing this

closed

added bazaar label

reopened

closed via merge request !574 (merged)