[whatwg] ProgressEvents for Images

Jonas Sicking jonas at sicking.cc
Mon Jan 23 19:36:39 PST 2012


On Mon, Jan 23, 2012 at 8:44 AM, Hans Muller <hmuller at adobe.com> wrote:
> Thanks for the encouraging words.
>
> For cross-site images for which crossOrigin is not set, we'd proposed
> "normalizing" the loaded and size ProgressEvent attributes:
>
> https://bugs.webkit.org/show_bug.cgi?id=76102
> ProgressEvents for cross-origin images should not reveal the actual
> resource size per
> http://www.w3.org/TR/progress-events/#security-considerations.  This could
> be avoided by dispatching ProgressEvents with lengthComputable=false (and
> loaded=0, total=0) for cross-origin images.   Alternatively we could
> dispatch a subclass of ProgressEvent with normalized total and loaded
> attributes.  A normalized image ProgressEvent wouldn't expose the actual
> size of the resource being downloaded but it would still enable developers
> to observe relative progress.  Normalization would set total to a constant
> like 1000, and loaded to a relatively correct value.
>
> A normalized image ProgressEvent would still reveal a little bit about the
> server, even dispatching ProgressEvents with lengthComputable=false would
> do so.  As you pointed out, we could avoid this issue altogether by not
> dispatching progress events at all in the unauthorized cross-site case,
> although doing so diminishes the utility of dispatching the events.

I don't know if this would still leak some information. For example,
are packet sizes reliable enough that you can estimate the downloaded
size by simply counting the number of ProgressEvents?

I don't have a strong opinion as I don't feel that I know enough.

/ Jonas



More information about the whatwg mailing list