W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2016

onload / onerror for <link rel="prefetch">

From: Richard Barnes <rbarnes@mozilla.com>
Date: Thu, 14 Jul 2016 14:01:52 -0400
Message-ID: <CAOAcki-5QuPOHD4pO_+2RHOtDKLSq17YesfdPWrHcr02COGyBg@mail.gmail.com>
To: WebAppSec WG <public-webappsec@w3.org>
Hey WebAppSec'ians,

There's a question on the HTML spec that I think could use attention from
this group:

https://github.com/whatwg/html/issues/1142 (<--- hard to parse Github issue)
https://bugzilla.mozilla.org/show_bug.cgi?id=1268962 (<-- slightly clearer
Bugzilla bug)
https://bugzilla.mozilla.org/show_bug.cgi?id=1268962#c21 (<-- my analysis)

Basically, there are some web devs that want to be able to tell whether a
prefetch worked or not.  But that would create a general mechanism to probe
for the presence of resources cross-origin.

The question is: Does this cross-origin information leakage matter in
practice?  Enough to warrant doing something CORS-like just to gate the
load/error events?

Personally, this seems pretty marginal to me, given that you can already
probe for resource types that have their own tags (<img>, <script>, etc.).
But I'm open if others have concerns.

Received on Thursday, 14 July 2016 18:02:23 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:56 UTC