About
ETag (Entityt Tag) is a HTTP response header that stores an identifier value for a specific version of the body (ie resource).
A etag comparison should determine whether two representations of a resource are the same and is therefore similar to a hash digest.
Usage
Cache Validation
Used in a conditional request as validator to see if a resource has changed (such as the browser cache is stale and a new resource should be downloaded)
Tracking
An etag can be misused as fingerprints allowing user tracking
For example:
- Phase 1:
- A site construct a etag value that is unique to the user or user agent,
- send it in a cacheable response with a long freshness time,
- Phase 2:
- For each page view, the browser would then send the the etag along a conditional get
- The server would then re-identify the user or user agent through the Etag value
This identification would persist:
- as long as the user agent retained the original cache entry
- or the user performs privacy-maintaining actions, such as:
- clearing stored cookies
- or changing to a private browsing mode.
Syntax
In BNF:
ETag := ['W/'] '"' 'etag'? '"';
ETag := ['W/'] '"' 'etag'? '"';
where:
- W is optional and if set means that the etag value is weak and may not changed if the resource changes.
Example
ETag: "xyzzy"
ETag: W/"xyzzy"
ETag: ""