UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36

Steps to reproduce the problem:
1. Request current quota:
navigator.webkitTemporaryStorage.queryUsageAndQuota(function(quota, usage) {
   console.log(quota)
});
2. Store remote resource using the Cache API:
fetch('https://example.org/resource', {mode: "no-cors", credentials: "same-origin"}).then(function(resp) {
   cache.put(new Request('foo'), resp.clone());
});
3. Request quota again. Subtract quota from (1). The result will be the exact size of the remote resource.

What is the expected behavior?
The size of opaque Responses should remain hidden.

What went wrong?
It is trivial to expose the size of any remote resource, even from authenticated requests. Since the size of many endpoints is related to the state of the user at that website, this attack allows adversaries to infer private information as long as JavaScript can be executed in *any* context.
If it helps, I can provide several real-world examples of such attack scenarios.

Did this work before? N/A 

Chrome version: 49.0.2623.87  Channel: stable
OS Version: OS X 10.9.5
Flash Version: Shockwave Flash 21.0 r0

The Quota Management API is flawed by design when considering any Response (including opaque ones) can be added to the Cache.
 

Deleted: quota-api-example.html 875 bytes

quota-api-example.html 875 bytes View Download