Sending a garbage Last-Modified time might confuse the server and cause unpredictable problems for the user. Blocking it is safe because the server will just assume this is the first time the user has visited the website.
This allows site owners get statistics on page views/uniques/bounces without unique identifier cookies or javascript injections.
I’m all for blocking any abusive tracking methods, but this looks to me like creative website statistics that works for single domain. What’s the harm by measuring that?
While this particular implementation doesn't track individuals, couldn't your trivially start tracking individuals by sending them unique random times like last-modified: 12 Mar 1978 12:34:56 GMT thereby giving them a ~30 bit unique identifier for as long as the file is cached?
Only if you disregard the amount of latitude that the semantics of these headers give to UAs that would effectively thwart this method of tracking.
If I fetch your /foo.html today in November 2022, and you send me a last-modified from 1978, that gives me and my UA a huge range from which to select a different datetime (anywhere between the 1978 value and now-ish) on my next request. How are you going to correlate my original and subsequent requests if in the latter I ask if you've got a copy that's been modified since 1999?
Context is important. The replied-to comment starts off, "While this particular implementation doesn't track individuals, couldn't your trivially start tracking individuals by[...]"
An acceptable response, then (to both you and the original commenter), follows: "While some particular browser version doesn't currently protect individuals from that proposed form of tracking, any browser vendor could trivially start thwarting that form of tracking by exploiting the latitude afforded to UAs by the semantics of these headers." And that's the form that the previous comment takes and how it should be understood. The fact that "users go to the web with the browser they've been given [i.e., today, and which isn't providing this sort of tracking protection]" doesn't change anything; we are explicitly talking about steps that each side _can_ take in the arms race related to the subject of this discussion...
Allowing websites to get a somewhat accurate count of visitors plus bounce rate helps them to tell how they’re doing. Hopefully, they use that to guide developing a better product/service.
If you can allow them to do that without getting tracked, it’s win-win. You get a better experience when they build a better service.
