queryUsageAndQuota allows to get size of no-cors request
Reported by
psuw...@atlassian.com,
Jan 3 2018
|
||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36 Steps to reproduce the problem: 1. create worker and in it a. execute no-cors fetch b. put request and response in cache 2. execute navigator.webkitTemporaryStorage.queryUsageAndQuota in browser What is the expected behavior? pages with no-cache headers shouldn't be allowed to get cached. OR navigator.webkitTemporaryStorage.queryUsageAndQuota shouldn't return precise values. What went wrong? `queryUsageAndQuota` returns the size of cache. If we try to send no-cors request to login page it will try to login. Fetch request won't return any useable data, but if we cache the request then usageQuota will be updated by the size of request and response. If we compare sizes of consequential request then it may be possible to differentiate request which succeeded from these that didn't solely relying on occupied size of cache. Did this work before? No Does this work in other browsers? Yes Chrome version: 63.0.3239.84 Channel: stable OS Version: OS X 10.13.2 Flash Version:
,
Jan 4 2018
psuwala@ - Thanks for filing the issue...!! Could you please provide a sample url/test file to test the issue from TE-end. This will help us in triaging the issue further. Thanks...!!
,
Jan 4 2018
,
Jan 5 2018
To mitigate this issue we should be padding the size of opaque responses as seen by the quota system. This padding was enabled in 63. Do you have a repro that demonstrates this in 63? (Also, is there really anything Worker specific about the steps?)
,
Jan 7 2018
I will try to deliver poc it this week. When was 63 released? Can non worker access cache or usageQuota?
,
Jan 7 2018
Thank you for providing more feedback. Adding requester "krajshree@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 8 2018
queryUsageAndQuota will return a size, but it should have a randomized amount of padding on it. So you shouldn't be able to determine cached vs non-cached very easily. At least not more easily than you could by other means (such as network timing of the resource load).
,
Jan 8 2018
I was testing the bug one month ago. It seems that 63 was released around this time. I will reassess.
,
Jan 8 2018
Re: "Can non worker access cache or usageQuota?" Yes. Any secure context (roughly: page/worker served by https or localhost) can access `self.caches` and can call `navigator.storage.estimate()` (The legacy quota APIs return the same values.)
,
Jan 9 2018
-Workers per comment 9.
,
Jan 9 2018
Josh: I'm just going to assign this to you. If it turns out that the padding y'all introduced mitigates this report, please close it out. :)
,
Jan 9 2018
Hello, padding fixed the issue. Thank you for support and keeping us safe, Peter.
,
Jan 9 2018
Our pleasure! Thanks for the report. |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by krajshree@chromium.org
, Jan 3 2018