Untrusted Content
Any time you reference untrusted content on your website, you are at risk of security attack. This is most clear for JavaScript which will have access to your domain's cookies because of the Same Origin Policy. It can also be true for CSS, which can contain JavaScript references (ex. the IE behavior property described in this W3C reference and at this reference by SitePoint®. Even images in certain situations can be used in attacks (ex: GIFAR attack). Caution: Do not reference untrusted content on your website. If you do store user content or other untrusted content, keep it on a separate cookie-less domain and do NOT tell mod_pagespeed to rewrite from that domain to your main cookied domain.
Private Content
mod_pagespeed rewrites and, effectively, proxies resources referenced in the main HTML document. It respects public caching headers, so if a resource is not explicitly marked public cacheable, mod_pagespeed will not rewrite nor re-serve it. However, mod_pagespeed will re-serve resources which ARE publicly cacheable. If you serve private content as publicly cacheable, mod_pagespeed will proxy it to any who requests a specific URL. Note that any public proxy in the Internet can do the same thing. Caution: Explicitly mark private content as not publicly cacheable.
No comments:
Post a Comment