W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2016

Re: onload / onerror for <link rel="prefetch">

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 18 Jul 2016 09:49:19 +0200
Message-ID: <CADnb78hR6kzAKJxdqoYAswUG=hPm0jzyDoKUZTZmxMaTJBeBkA@mail.gmail.com>
To: Richard Barnes <rbarnes@mozilla.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Thu, Jul 14, 2016 at 8:01 PM, Richard Barnes <rbarnes@mozilla.com> wrote:
> The question is: Does this cross-origin information leakage matter in
> practice?  Enough to warrant doing something CORS-like just to gate the
> load/error events?

The main problem is that <object> already leaks all non-2xx for
"no-cors" by showing fallback. Coupled with using another API that
only rejects for network errors you can figure out whether it was a
non-2xx or network error. So basically, with 2 requests you can
determine the rough ballpark of a "no-cors" response's status code.

So I'd say we already have the leak.

The question that seems to remain unanswered is whether prefetch needs
to distinguish between network errors and non-2xx or not.

Received on Monday, 18 July 2016 07:49:49 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:56 UTC