Security Considerations for PageSpeed

Any change to a website has the possibility of introducing new security holes. Pagespeed is not an exception to this rule. This document covers specific security concerns to keep in mind when using PageSpeed.

Untrusted Content

Any time you reference untrusted content on your website, you are at risk of security attack. This is most clear for JavaScript which will have access to your domain's cookies because of the Same Origin Policy. It can also be true for CSS, which can contain JavaScript references (ex. the IE behavior property described in this W3C reference and at this reference by SitePoint®. Even images in certain situations can be used in attacks (ex: GIFAR attack).

Caution: Do not reference untrusted content on your website. If you do store user content or other untrusted content, keep it on a separate cookie-less domain and do NOT tell PageSpeed to rewrite from that domain to your main cookied domain.

Private Content

PageSpeed rewrites and, effectively, proxies resources referenced in the main HTML document. It respects public caching headers, so if a resource is not explicitly marked public cacheable, PageSpeed will not rewrite nor re-serve it. However, PageSpeed will re-serve resources which ARE publicly cacheable. If you serve private content as publicly cacheable, PageSpeed will proxy it to any who requests a specific URL. Note that any public proxy in the Internet can do the same thing.

Caution: Explicitly mark private content as not publicly cacheable.