- From: Jonas Sicking <jonas@sicking.cc>
- Date: Mon, 23 Jan 2012 19:36:39 -0800
On Mon, Jan 23, 2012 at 8:44 AM, Hans Muller <hmuller at adobe.com> wrote: > Thanks for the encouraging words. > > For cross-site images for which crossOrigin is not set, we'd proposed > "normalizing" the loaded and size ProgressEvent attributes: > > https://bugs.webkit.org/show_bug.cgi?id=76102 > ProgressEvents for cross-origin images should not reveal the actual > resource size per > http://www.w3.org/TR/progress-events/#security-considerations. ?This could > be avoided by dispatching ProgressEvents with lengthComputable=false (and > loaded=0, total=0) for cross-origin images. ? Alternatively we could > dispatch a subclass of ProgressEvent with normalized total and loaded > attributes. ?A normalized image ProgressEvent wouldn't expose the actual > size of the resource being downloaded but it would still enable developers > to observe relative progress. ?Normalization would set total to a constant > like 1000, and loaded to a relatively correct value. > > A normalized image ProgressEvent would still reveal a little bit about the > server, even dispatching ProgressEvents with lengthComputable=false would > do so. ?As you pointed out, we could avoid this issue altogether by not > dispatching progress events at all in the unauthorized cross-site case, > although doing so diminishes the utility of dispatching the events. I don't know if this would still leak some information. For example, are packet sizes reliable enough that you can estimate the downloaded size by simply counting the number of ProgressEvents? I don't have a strong opinion as I don't feel that I know enough. / Jonas
Received on Monday, 23 January 2012 19:36:39 UTC