- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Mon, 18 Jul 2016 09:49:19 +0200
- To: Richard Barnes <rbarnes@mozilla.com>
- Cc: WebAppSec WG <public-webappsec@w3.org>
On Thu, Jul 14, 2016 at 8:01 PM, Richard Barnes <rbarnes@mozilla.com> wrote: > The question is: Does this cross-origin information leakage matter in > practice? Enough to warrant doing something CORS-like just to gate the > load/error events? The main problem is that <object> already leaks all non-2xx for "no-cors" by showing fallback. Coupled with using another API that only rejects for network errors you can figure out whether it was a non-2xx or network error. So basically, with 2 requests you can determine the rough ballpark of a "no-cors" response's status code. So I'd say we already have the leak. The question that seems to remain unanswered is whether prefetch needs to distinguish between network errors and non-2xx or not. -- https://annevankesteren.nl/
Received on Monday, 18 July 2016 07:49:49 UTC