- From: Richard Barnes <rbarnes@mozilla.com>
- Date: Thu, 14 Jul 2016 14:01:52 -0400
- To: WebAppSec WG <public-webappsec@w3.org>
Received on Thursday, 14 July 2016 18:02:23 UTC
Hey WebAppSec'ians, There's a question on the HTML spec that I think could use attention from this group: https://github.com/whatwg/html/issues/1142 (<--- hard to parse Github issue) https://bugzilla.mozilla.org/show_bug.cgi?id=1268962 (<-- slightly clearer Bugzilla bug) https://bugzilla.mozilla.org/show_bug.cgi?id=1268962#c21 (<-- my analysis) Basically, there are some web devs that want to be able to tell whether a prefetch worked or not. But that would create a general mechanism to probe for the presence of resources cross-origin. The question is: Does this cross-origin information leakage matter in practice? Enough to warrant doing something CORS-like just to gate the load/error events? Personally, this seems pretty marginal to me, given that you can already probe for resource types that have their own tags (<img>, <script>, etc.). But I'm open if others have concerns. Thanks, --Richard
Received on Thursday, 14 July 2016 18:02:23 UTC