Re: [w3ctag/design-reviews] Expose contentEncoding in resourceTiming (Issue #1064)

noamr left a comment (w3ctag/design-reviews#1064)

> The use of `@unknown` for that seems highly specific and ineffective at preventing that attack. If you allow any information out, that exfiltration can happen. Especially with content type being available. 

> You have multiple bits available (image type, different content codings), why do you think that blocking one very specific part of the information is going to be effective?

`Content-Type` is also limited to a set of defined mime-types, for the same reason.
There's a vast difference in entropy between a spec-defined enum and an open string.

Though I am aligned with this generally being a good restriction, I'd defer this to folks at Apple (@annevk and co) that were the advocates for this restriction to perhaps explain it better than myself.


-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/1064#issuecomment-2943622083
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/1064/2943622083@github.com>

Received on Thursday, 5 June 2025 10:24:11 UTC