Re: [w3ctag/design-reviews] Expose contentEncoding in resourceTiming (Issue #1064) from Martin Thomson on 2025-06-05 (public-webapps-github@w3.org from June 2025)

From: Martin Thomson <notifications@github.com>
Date: Thu, 05 Jun 2025 03:16:29 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/1064/2943593618@github.com>

martinthomson left a comment (w3ctag/design-reviews#1064)

The use of `@unknown` for that seems highly specific and ineffective at preventing that attack.  If you allow any information out, that exfiltration can happen.  Especially with content type being available.  You have multiple bits available (image type, different content codings), why do you think that blocking one very specific part of the information is going to be effective?

It seems to me like there is a reason to limit the resource to an opaque report (which has none of this information) is the only real mechanism (and even there, you get start and end times, which can be used to exfiltrate information).  Again, if this is a security mechanism, either you need to close the channel entirely, not just close off a tiny part of it.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/1064#issuecomment-2943593618
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/1064/2943593618@github.com>

Received on Thursday, 5 June 2025 10:16:33 UTC