Skip to content

Hide range values from no-cors cross-origin range requests #1936

Description

@jakearchibald

#560 allowed range requests from media elements to pass through the service worker. However, you can see the range header in the service worker, and this can be used to learn the byte size of the media resource, even if it's cross-origin, by forcing a request for the final chunk of the media.

Media is pretty leaky already, as it'll give you the duration of the resource, but it seems like we shouldn't make the byte length observable.

We could do one of the following:

  • Hide the range header value on these requests.
  • Lie that the range header value is 0-.

The advantage of the latter is that code that detects whether the request is a range request will still work… maybe.

The rest of the rules we have in the spec, like removing the range header if the request is modified, will remain.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions