User Agent may want to restrict cross-origin transferSize/encodedBodySize/decodedBodySize visibility even with TAO

Question

User Agent may want to restrict cross-origin transferSize/encodedBodySize/decodedBodySize visibility even with TAO

achristensen07 opened this issue 2 years ago · 2 comments

Doing so would prevent a side-channel to gather data even from origins that send TAO headers. Similar to w3c/server-timing#89 which proposes a similar restriction for Server Timing.

Answer 1 · 2022-12-07T13:03:12.000Z

This was discussed at TPAC, and there was agreement we can allow such UA liberties in the spec.

@achristensen07 - Are you interested in submitting a PR to that effect?

Answer 2 · 2023-01-26T04:10:53.000Z

I can make a PR