Surely the correct solution to that is to control the information your browser will send to the CDN, not to try and stop web designers from using CDNs for everyone. The way requesting assets leaks the page you're visiting is through the referer header, so if you want to prevent that, use an add-on that lets you control that header, like https://addons.mozilla.org/en-US/firefox/addon/referrer-cont... .

Your point is well-taken, but I suspect 'aw3c2 might be concerned about the CDN "fingerprinting" multiple-resource requests (so that a particular exact combination of files is known to be required by a small [possibly singular] set of sites), which isn't addressed by your referrer suggestions.

"Surely the way to protect your passwords is to use different passwords on multiple websites; ergo I don't need to hash my password database".

Web developers have a responsibility to protect their users from threats they don't even know exist.

I don't think making the entire toolchain more complex with extra edge cases that would need some kind of centrally managed white list, is more correct than 'just dont do that'.

Just don't do what? Receive the information you are sending them?

If you don't want someone to have this information, the sensible thing is not to offer it. I cannot conceive of any way in which sending the information and then yelling at the recipient for receiving it is "more correct" than just not telling people things you don't want them to know.

Why don't site operators take responsibility for themselves to not leak their users information unnecessarily? We've taken it upon ourselves to chastise any web property that doesn't properly hash their passwords--we could just have easily say "if you don't want your password to other sites leaked, use different passwords". But we recognize the unfair burden we are placing on end users in that case. The case with CDNs and information leak is similar.