Expose Content-Length header in CORS requests

[benjamingr]

As discussed with @annevk on IRC. (thanks again for the direction)

Currently Chrome and IE (but not Firefox) expose e.total on ProgressEvents. This was discussed in #284.

The value of Content-Length is very valuable on HEAD requests. We sometimes make HEAD requests to resources in order to choose whether or not they are prohibitively expensive for the client to download or not - or to make smart decisions about downloading them.

Currently this is possible (due to ProgressEvents on Chrome) but not Firefox - I think we should safelist the Content-Length header in CORS requests.

[annevk]

@estark37 @mikewest @dveditz @ckerschb what do you think? The additional risk here would be when Content-Length contains some unusual value, but generally if you expose the response body you also expose its length. And apparently we already expose it through side channels such as progress events.

[mikewest]

For my own clarity, the suggestion is that we'd add this to the list of CORS-safelisted response-header names, so that it would be exposed on filtered responses without the server opting-in via Access-Control-Allow-Headers? That seems reasonable to me.

[TejasQ]

I'd find this quite useful as well. +1.

[annevk]

@mikewest yes.

[estark37]

Sounds reasonable to me as well.

[annevk]

@benjamingr are you interested in writing a PR for this and perhaps even corresponding changes to web-platform-tests?

[annevk]

(To be clear, I think this has enough support from implementers to be merged.)

[benjamingr]

@annevk sure, I'll go right ahead. I apologize in advance about getting the PR wrong :)

[domenic]

I'm unclear why we're adding more cross-origin information leaks to the platform :(

[annevk]

@domenic you're concerned about a server having Content-Length: SECRET and inadvertently revealing that to the other party it's happy to use CORS with?

[domenic]

I think so, although maybe I'm not fully understanding?

In general I'm concerned with any movement away from a model where getting information cross-origin requires opt-in from the cross-origin target server.

[benjamingr]

@domenic this is specifically for content length in a CORS request, this is useful for video players who can then decide whether or not to download a video segment via HEAD request for example.

If you'd like I can add more motivating examples. It currently leaks anyway, but in a hacky way.

[domenic]

I think I was misunderstanding the situation because of my confusion between "CORS request" and "cross origin request". This is probably fine, and I didn't mean to second-guess security folks anyway, just understand better.