Comments (11)
Presumably you'd expect the third-party script on your page to behave. If you caught it misbehaving you could stop using it, or complain.
In practice, neither of those are true.. hence why we're having this discussion. I add a script that adds a script that loads an iframe with a script that loads an iframe coming from fifth party in the chain with super heavy creative. Tracking that down is nearly impossible, since we isolate origins and I can't monitor sizes of arbitrary resources.
Stepping back: I'm sure there is some use case for this functionality.. But, in the spirit of focusing on shipping a v1 MVP, personally I don't think this is critical or necessary. That said, happy to be convinced otherwise. :)
from transfer-size.
@ojanvafai @igrigorik Any thoughts?
from transfer-size.
Wouldn't this make it trivial to circumvent such policy? E.g. if you have top-level script on the page that injects frames, what stops it from injecting just outside your "enforced region"? It seems that if you want the policy to stick against mis-behaving players, you have to enforce it document wide, or isolate them within an isolated sandbox.. at which point you're back to document-wide.
In short, my hunch is that this is both weak and unnecessary?
from transfer-size.
An adversarial script could get around it. Presumably you'd expect the third-party script on your page to behave. If you caught it misbehaving you could stop using it, or complain.
For cases where you completely distrust the script, you could use the response-header.
from transfer-size.
It's still trivial for a third-party to circumvent the response headers. Just avoid making the frame in the first place, or create a same-origin frame if a frame is necessary.
Ideally the last trusted party in the chain (perhaps the ad server script) should create an x-origin iframe to stuff untrusted code in. If they don't do that (and they usually don't), then there isn't much that can be done today.
from transfer-size.
It's still trivial for a third-party to circumvent the response headers. Just avoid making the frame in the first place, or create a same-origin frame if a frame is necessary.
Good point.
Coming back to the beginning: I guess this boils do (a) whether selector targeting is critical for the use case, and (b) if CSS is appropriate.. E.g. what stops a page from creating a mutationobserver and applying a policy on the fly as iframes are appended?
from transfer-size.
In terms of its criticality for the use-case, it seems far more developer-friendly than response headers. The only place I see an issue with it is if the first party doesn't know where the script wants to insert elements into the dom.
I expect TransferSizePolicy will be set once per frame, when it's created. This is how FeaturePolicy behaves. Can you allow features via FeaturePolicy via mutationobserver or is it too late at that point?
Paging @domenic and @ojanvafai for more input on the idea of setting TransferSizePolicy via CSS.
from transfer-size.
Re, FP policy: you can set it via a response header as a document wide policy, and you can target individual frames via allow -- see examples... I think we should align with FP capabilities here. /cc @clelland
from transfer-size.
FP is definitely immutable once the document has been loaded, by design.
We do have the allow attribute, which sets a 'container policy' for individual frames. I don't know whether extending that attribute, or adding another attribute for TSP would make more sense.
CSS seems totally crazy-talk, BTW. :)
I would just wait for something like
iframe:nth-child(2) {
max-transfer-size: 100KB;
}
div div span iframe {
max-transfer-size: 50KB;
}
iframe:hover {
max-transfer-size: 200KB;
}
a:visited + iframe:target {
max-transfer-size: 1GB;
}
or similar crazy :)
from transfer-size.
Cascading Style Sheets.
What about "max transfer size" equals "style"?
from transfer-size.
It's certainly not style. I'm just trying to find the webby way to apply something to a subset of elements on a page, but will stick with response headers for now.
from transfer-size.
Related Issues (16)
- TAO opt-in: pros, cons, and implementation HOT 3
- Setting transfer size in the response header? HOT 2
- Report-only mode HOT 2
- Header vs attribute configuration HOT 1
- Specifying limits in iframe request headers
- Questions about design HOT 4
- Document resource-types supported in transfersize HOT 1
- transfer-size as a Feature-Policy? HOT 2
- Is this still active? HOT 2
- How do we do data accounting for ServiceWorker requests? HOT 12
- Accounting with encodedBodySize doesn't work with SDCH HOT 4
- Mitigating the cross-origin size leak if we don't use TAO opt-in
- Restrictions modified by browser config or platform flag? HOT 2
- Scenario: video playback HOT 25
- Request to rename Content Size Policy to Network Policy HOT 8
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from transfer-size.