transferSize might reveal HttpOnly cookies · Issue #238 · w3c/resource-timing (original) (raw)

I've analysed usage in Wikimedia codebases, and the libraries we distribute currently. Indeed the only use case currently found was to "guess" whether a resource was a local cache hit, 304 Not Modified response, or fresh download.

Follows this pattern generally:

// Resource Timing API if (nt.transferSize === 0) { browserCache = 'local hit'; } else if (nt.transferSize > 0 && nt.encodedBodySize > 0 && nt.transferSize < nt.encodedBodySize ) { browserCache = 'local hit (after HTTP 304)'; } else { browserCache = 'miss (HTTP 200 OK)'; }

I support the mitigation reducing transferSize to just a fixed amount for headers plus encodedBodySize, if transferred.

Now that we've learned that we don't want to expose the actual transfer size, I wonder it would make sense to remove this in a future interation of the spec. From what I can tell, it seems likely safe for web compat for it to become undefined, as the original spec didn't have it (afaik), and Safari still doesn't implement it.

In that case, we may want to first decide how to provide the cache status in a more intiutive manner for future generations, since this definitely doesn't seem like a good API for it long-term. It would be confusing both because it doesn't provide what it appears to, and the thing it actually provides (cache status) is hard to learn/discover this way. It seems appealing to jump for a shiny new field like cacheStatus holding three possible values, but that might be rather inflexible over the long-term and presents the same problem we've since faced in other APIs when we try to capture complex information in a single string, which means we can't then add new values to it that are related without breaking existing code. In this case something more split up might make sense e.g. boolean wasBodyTransferred. Depending on whether we want to long-term expose http status codes and/or to differenteiate between 304 vs fully local hit, we might want to add another bool or integer field.

(Wording of "was" vs "did" still TBD in w3ctag/design-reviews#547)