Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resource sizes should be restricted to CORS or same origin #52

Closed
esprehn opened this issue Apr 15, 2016 · 1 comment
Closed

Resource sizes should be restricted to CORS or same origin #52

esprehn opened this issue Apr 15, 2016 · 1 comment

Comments

@esprehn
Copy link

esprehn commented Apr 15, 2016
edited
Loading 

    readonly        attribute unsigned long long  transferSize;
    readonly        attribute unsigned long long  encodedBodySize;
    readonly        attribute unsigned long long  decodedBodySize;

Maybe I missed where the spec says it, but I don't think these should be exposed for resources you wouldn't normally have access to. You could use the byte lengths to do all kinds of information leakage across origins.
@igrigorik
Copy link
Member

They're all subject to TAO opt-in, same as all the other attributes: https://w3c.github.io/resource-timing/#timing-allow-check

If the last non-redirected fetch of the resource is not the same origin as the current document, transferSize must return zero unless the timing allow check algorithm passes.

If the last non-redirected fetch of the resource is not the same origin as the current document, encodedBodySize must return zero unless the timing allow check algorithm passes.

If the last non-redirected fetch of the resource is not the same origin as the current document, decodedBodySize must return zero unless the timing allow check algorithm passes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
2 participants
@igrigorik @esprehn