W3C home > Mailing lists > Public > whatwg@whatwg.org > April 2017

Re: [whatwg] Adding progress event for native <form>?

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 12 Apr 2017 09:25:20 +0200
Message-ID: <CADnb78hWcCPLdH9WnahzVfEDY8i4UHF4EMo71+SZfkugqznGQg@mail.gmail.com>
To: Mikko Rantalainen <mikko.rantalainen@peda.net>
Cc: WHATWG <whatwg@lists.whatwg.org>
On Wed, Apr 12, 2017 at 9:16 AM, Mikko Rantalainen
<mikko.rantalainen@peda.net> wrote:
> The default use case would not need to use frames. The expected use case
> would be to display custom UI for submission progress (e.g. nice
> progress bar and ETA with custom algorithm). It would be just fine to
> "lose" this custom UI once the submission is complete and next page or
> resource has been displayed.

Every now and then there's some talk about navigation transition
animations. That might be all you need here. (Sorry, no pointer at
hand.)


> About the information leak: in case of cross-origin the user agent could
> emit just one progress event with lengthComputable=false. However, I
> have throuble figuring out a possible attack vendor even in case full
> progress events were published cross-origin.

The problem is learning information about the destination server and
being able to do better timing attacks.


> I didn't understand the point about redirects making
> same-origin/cross-origin harder to distinguish.

Because at the point you'd hit such a redirect we'd have to stop
notifying you, but that would also reveal something if things are
still ongoing.


-- 
https://annevankesteren.nl/
Received on Wednesday, 12 April 2017 07:25:53 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 12 April 2017 07:25:53 UTC