Hey WebAppSec'ians, There's a question on the HTML spec that I think could use attention from this group: https://github.com/whatwg/html/issues/1142 (<--- hard to parse Github issue) https://bugzilla.mozilla.org/show_bug.cgi?id=1268962 (<-- slightly clearer Bugzilla bug) https://bugzilla.mozilla.org/show_bug.cgi?id=1268962#c21 (<-- my analysis) Basically, there are some web devs that want to be able to tell whether a prefetch worked or not. But that would create a general mechanism to probe for the presence of resources cross-origin. The question is: Does this cross-origin information leakage matter in practice? Enough to warrant doing something CORS-like just to gate the load/error events? Personally, this seems pretty marginal to me, given that you can already probe for resource types that have their own tags (<img>, <script>, etc.). But I'm open if others have concerns. Thanks, --RichardReceived on Thursday, 14 July 2016 18:02:23 UTC
This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:20 UTC