[whatwg] ProgressEvents for Images
Jonas Sicking
jonas at sicking.cc
Mon Jan 23 19:36:39 PST 2012
On Mon, Jan 23, 2012 at 8:44 AM, Hans Muller <hmuller at adobe.com> wrote:
> Thanks for the encouraging words.
>
> For cross-site images for which crossOrigin is not set, we'd proposed
> "normalizing" the loaded and size ProgressEvent attributes:
>
> https://bugs.webkit.org/show_bug.cgi?id=76102
> ProgressEvents for cross-origin images should not reveal the actual
> resource size per
> http://www.w3.org/TR/progress-events/#security-considerations. This could
> be avoided by dispatching ProgressEvents with lengthComputable=false (and
> loaded=0, total=0) for cross-origin images. Alternatively we could
> dispatch a subclass of ProgressEvent with normalized total and loaded
> attributes. A normalized image ProgressEvent wouldn't expose the actual
> size of the resource being downloaded but it would still enable developers
> to observe relative progress. Normalization would set total to a constant
> like 1000, and loaded to a relatively correct value.
>
> A normalized image ProgressEvent would still reveal a little bit about the
> server, even dispatching ProgressEvents with lengthComputable=false would
> do so. As you pointed out, we could avoid this issue altogether by not
> dispatching progress events at all in the unauthorized cross-site case,
> although doing so diminishes the utility of dispatching the events.
I don't know if this would still leak some information. For example,
are packet sizes reliable enough that you can estimate the downloaded
size by simply counting the number of ProgressEvents?
I don't have a strong opinion as I don't feel that I know enough.
/ Jonas
More information about the whatwg
mailing list