[webkit-dev] ProgressEvents for Images

Adam Barth abarth at webkit.org
Mon Jan 23 16:10:54 PST 2012 

On Mon, Jan 23, 2012 at 4:02 PM, Hans Muller <hmuller at adobe.com> wrote:
> There's a brief discussion of the cross-origin case in the
> ""ProgressEvents for Images" WhatWG thread:
> http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2012-January/034362.htm
> l and the WebKit bug about this proposed feature:
> https://bugs.webkit.org/show_bug.cgi?id=76102
>
> For cross-site images for which crossOrigin is not set, we'd proposed
> "normalizing" the loaded and size ProgressEvent attributes:
>
> ProgressEvents for cross-origin images should not reveal the actual
> resource size per
> http://www.w3.org/TR/progress-events/#security-considerations. This could
> be avoided by dispatching ProgressEvents with lengthComputable=false (and
> loaded=0, total=0) for cross-origin images. Alternatively we could
> dispatch a subclass of ProgressEvent with normalized total and loaded
> attributes. A normalized image ProgressEvent wouldn't expose the actual
> size of the resource being downloaded but it would still enable developers
> to observe relative progress. Normalization would set total to a constant
> like 1000, and loaded to a relatively correct value.
>
> The motivation for providing progress events in the cross origin case is
> applicaitons like image galleries, that just display a list of image URLs.
>  Displaying (possibly "normalized") download progress for images that will
> be displayed seems desirable.

Using zero values sounds safer than normalized values because an
attacker might be able to back out the real values from the normalized
values by taking into account things like the default packet size.

Adam


> On 1/23/12 3:42 PM, "Charles Pritchard" <chuck at jumis.com> wrote:
>>On 1/23/12 2:55 PM, Dean Jackson wrote:
>>> On 17/01/2012, at 10:41 AM, Bear Travis wrote:
>>>
>>>> <img id="image" src="sample.jpg"
>>>>      onloadstart="showProgressBar()"
>>>>      onprogress="updateProgressBar(event)"
>>>>      onloadend="hideProgressBar()"/>
>>>>
>>>> Developers have taken various tacks to enable progress reporting, for
>>>>example
>>>> in some cases XHR can be used to download image files.  Max Vujovic
>>>>just
>>>> published a blog about the practicalities of doing so:
>>>>
>>>>http://blogs.adobe.com/openweb/2012/01/13/html5-image-progress-events/.
>>>> We
>>>> think it would be preferable to provide support for image progress
>>>>events
>>>> directly.
>>> I think this would be extremely useful. It would require a proposal to
>>> W3C or WHATWG though.
>>
>>Seems like this would need to follow CORS.
>>Even disclosing the file size is going too far for cross-domain without
>>CORS.
>>
>>-Charles
>>_______________________________________________
>>webkit-dev mailing list
>>webkit-dev at lists.webkit.org
>>http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
>
> _______________________________________________
> webkit-dev mailing list
> webkit-dev at lists.webkit.org
> http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev

More information about the webkit-dev mailing list