> On 9 Jun 2015, at 2:42 pm, Martin Thomson <martin.thom...@gmail.com> wrote: > > On 8 June 2015 at 21:30, Nottingham, Mark <mnott...@akamai.com> wrote: >> A header denoting site-wide metadata would work for this too, of course, if >> folks were comfortable with the security properties of doing that (as well >> as the potential response overhead). > > The security properties bother me a little. Alt-Svc is showing us > that we can't just define a header field like that without some > serious analysis.
Indeed. Also, an intermediary cache (whether a proxy or a CDN) would need to monitor all of the headers sent back for a given origin to figure out the applicable policy, and rewrite responses accordingly. It wouldn't just work out of the box like a .well-known would. Cheers, -- Mark Nottingham m...@akamai.com https://www.mnot.net/