9 comments

[ 0.33 ms ] story [ 29.4 ms ] thread
Will we be able to report errors using the upcoming report-to header? I didn't see a report mechanism listed, but like with hpkp and cors I would like those errors to.be reporteable
Does anyone have good additional links? I don't understand the risk of delivering an HTML document to. script tag src?
The risk is via side channel attacks like Spectre. Even if the script fails to execute (since it's html and not javascript), the html document has been loaded into the memory of the process which included the script tag, which can now start reading that memory via side channel attacks.
This should also help put an end to cross domain search timing attacks. An old example of one using the IMG tag:

https://www.idontplaydarts.com/2015/09/cross-domain-timing-a...

But chrome doesn't see the content type until after the response is served.
No, it sees the content type in the headers that are at the start of the response. Presumably if that header isn't correct it'll stop downloading any further data.
After Lucene has spent some variable amount of time depending on how many documents match the query...
(comment deleted)