- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 12 Apr 2017 09:25:20 +0200
- To: Mikko Rantalainen <mikko.rantalainen@peda.net>
- Cc: WHATWG <whatwg@lists.whatwg.org>
On Wed, Apr 12, 2017 at 9:16 AM, Mikko Rantalainen <mikko.rantalainen@peda.net> wrote: > The default use case would not need to use frames. The expected use case > would be to display custom UI for submission progress (e.g. nice > progress bar and ETA with custom algorithm). It would be just fine to > "lose" this custom UI once the submission is complete and next page or > resource has been displayed. Every now and then there's some talk about navigation transition animations. That might be all you need here. (Sorry, no pointer at hand.) > About the information leak: in case of cross-origin the user agent could > emit just one progress event with lengthComputable=false. However, I > have throuble figuring out a possible attack vendor even in case full > progress events were published cross-origin. The problem is learning information about the destination server and being able to do better timing attacks. > I didn't understand the point about redirects making > same-origin/cross-origin harder to distinguish. Because at the point you'd hit such a redirect we'd have to stop notifying you, but that would also reveal something if things are still ongoing. -- https://annevankesteren.nl/
Received on Wednesday, 12 April 2017 07:25:53 UTC