Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This is true, but if you're running a CDN you have access to cross-domain user information just based on the headers, no?


The CDN is not the place you have to worried about.

If Site A loads a specific JavaScript file for users with an administrator account, Site B can check to see if the JavaScript file is in your cache, and infer that you must have an administrator account if the file is there.

The attack can happen with different types of resources (such as images).


This I understand, the risk of third-parties monitoring. The attacks are pretty obvious. My confusion is over what the business model of a commercial CDN is if not to track users across multiple sites? How do they pay for bandwidth?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: