[whatwg/fetch] Delay opaque responses until response body is in (#355) from Anne van Kesteren on 2016-08-05 (public-webapps-github@w3.org from August 2016)

From: Anne van Kesteren <notifications@github.com>
Date: Fri, 05 Aug 2016 00:06:24 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Message-ID: <whatwg/fetch/issues/355@github.com>

We already delay responses when `integrity` is specified. We should do the same for opaque responses as otherwise there's a timing attack possible to more accurately figure out the size of the response due to `fetch()` resolving when the response headers are in and other APIs resolving when the response body is in.

This will impact service workers' ability to stream opaque images and more importantly opaque media quickly to the document. I don't really see a way around that though.

I realized this was a problem in https://github.com/w3c/resource-timing/issues/64.

Other attacks due to opaque responses: https://github.com/whatwg/storage/issues/31.

---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/355

Received on Friday, 5 August 2016 09:30:57 UTC