W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2012

[whatwg] ProgressEvents for Images

From: Jonas Sicking <jonas@sicking.cc>
Date: Mon, 23 Jan 2012 19:36:39 -0800
Message-ID: <CA+c2ei-9ZuE-L4w49o7Pm9-Jh4aLFbGbGf1PjmgCZvAVy1HuzA@mail.gmail.com>
On Mon, Jan 23, 2012 at 8:44 AM, Hans Muller <hmuller at adobe.com> wrote:
> Thanks for the encouraging words.
>
> For cross-site images for which crossOrigin is not set, we'd proposed
> "normalizing" the loaded and size ProgressEvent attributes:
>
> https://bugs.webkit.org/show_bug.cgi?id=76102
> ProgressEvents for cross-origin images should not reveal the actual
> resource size per
> http://www.w3.org/TR/progress-events/#security-considerations. ?This could
> be avoided by dispatching ProgressEvents with lengthComputable=false (and
> loaded=0, total=0) for cross-origin images. ? Alternatively we could
> dispatch a subclass of ProgressEvent with normalized total and loaded
> attributes. ?A normalized image ProgressEvent wouldn't expose the actual
> size of the resource being downloaded but it would still enable developers
> to observe relative progress. ?Normalization would set total to a constant
> like 1000, and loaded to a relatively correct value.
>
> A normalized image ProgressEvent would still reveal a little bit about the
> server, even dispatching ProgressEvents with lengthComputable=false would
> do so. ?As you pointed out, we could avoid this issue altogether by not
> dispatching progress events at all in the unauthorized cross-site case,
> although doing so diminishes the utility of dispatching the events.

I don't know if this would still leak some information. For example,
are packet sizes reliable enough that you can estimate the downloaded
size by simply counting the number of ProgressEvents?

I don't have a strong opinion as I don't feel that I know enough.

/ Jonas
Received on Monday, 23 January 2012 19:36:39 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:10 UTC