On Wed, Apr 12, 2017 at 9:16 AM, Mikko Rantalainen <mikko.rantalai...@peda.net> wrote: > The default use case would not need to use frames. The expected use case > would be to display custom UI for submission progress (e.g. nice > progress bar and ETA with custom algorithm). It would be just fine to > "lose" this custom UI once the submission is complete and next page or > resource has been displayed.
Every now and then there's some talk about navigation transition animations. That might be all you need here. (Sorry, no pointer at hand.) > About the information leak: in case of cross-origin the user agent could > emit just one progress event with lengthComputable=false. However, I > have throuble figuring out a possible attack vendor even in case full > progress events were published cross-origin. The problem is learning information about the destination server and being able to do better timing attacks. > I didn't understand the point about redirects making > same-origin/cross-origin harder to distinguish. Because at the point you'd hit such a redirect we'd have to stop notifying you, but that would also reveal something if things are still ongoing. -- https://annevankesteren.nl/