On Mon, Jan 23, 2012 at 8:44 AM, Hans Muller <[email protected]> wrote: > Thanks for the encouraging words. > > For cross-site images for which crossOrigin is not set, we'd proposed > "normalizing" the loaded and size ProgressEvent attributes: > > https://bugs.webkit.org/show_bug.cgi?id=76102 > ProgressEvents for cross-origin images should not reveal the actual > resource size per > http://www.w3.org/TR/progress-events/#security-considerations. This could > be avoided by dispatching ProgressEvents with lengthComputable=false (and > loaded=0, total=0) for cross-origin images. Alternatively we could > dispatch a subclass of ProgressEvent with normalized total and loaded > attributes. A normalized image ProgressEvent wouldn't expose the actual > size of the resource being downloaded but it would still enable developers > to observe relative progress. Normalization would set total to a constant > like 1000, and loaded to a relatively correct value. > > A normalized image ProgressEvent would still reveal a little bit about the > server, even dispatching ProgressEvents with lengthComputable=false would > do so. As you pointed out, we could avoid this issue altogether by not > dispatching progress events at all in the unauthorized cross-site case, > although doing so diminishes the utility of dispatching the events.
I don't know if this would still leak some information. For example, are packet sizes reliable enough that you can estimate the downloaded size by simply counting the number of ProgressEvents? I don't have a strong opinion as I don't feel that I know enough. / Jonas
