While persisting nonces would completely prevent replay attacks, that approach would not scale as well as the second proposed alternative solution (which allows replay attacks within a narrow window), which I think I'm in favor of, as it'd be the most backportable solution with the least impact (and I'd argue it's something we should be doing, regardless):
Have the s3 extension parse the normalized request, find the timestamp,
and reject requests with a timestamp more than 5 minutes off from the
server's time.
Relatedly, do we support/acknowledge the Expires query parameter today?
While persisting nonces would completely prevent replay attacks, that approach would not scale as well as the second proposed alternative solution (which allows replay attacks within a narrow window), which I think I'm in favor of, as it'd be the most backportable solution with the least impact (and I'd argue it's something we should be doing, regardless):
Have the s3 extension parse the normalized request, find the timestamp,
and reject requests with a timestamp more than 5 minutes off from the
server's time.
Relatedly, do we support/acknowledge the Expires query parameter today?