- From: Tom Van Goethem <notifications@github.com>
- Date: Wed, 24 Aug 2016 08:58:14 -0700
- To: whatwg/storage <storage@noreply.github.com>
Received on Wednesday, 24 August 2016 15:59:23 UTC
@annevk HEIST provides the attacker with the response size after compression, this one provides the attacker with the uncompressed response size. Knowing either is bad, knowing both is worse. While I'd much rather see a generic solution such as disabling 3rd-party cookies by default (or something that provides a transition there, as is being done with the transition to HTTPS), this issue is independent from HEIST, and if there's no viable generic solution, the issues should be mitigated one by one. In addition, I'd say this issue is easier to exploit as it's more stable and convenient (especially when `estimate()` gives the exact usage). -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/storage/issues/31#issuecomment-242117879
Received on Wednesday, 24 August 2016 15:59:23 UTC