There appears to be a discrepancy between the Background Fetch specification's enforcement of downloadTotal and the requirements for cross-origin resource isolation. Current behavior may allow for XS-Leaks (Cross-Site Leaks) regarding the size of cross-origin resources.
Observable Side-Channel via downloadTotal
The specification defines a mechanism where the total bytes downloaded across all records are monitored against a downloadTotal limit. If this limit is exceeded by any single record, the entire background fetch operation is aborted through the abort all flag.
The privacy issue arises because cross-origin resources contribute to this total count before a final CORS check is concluded. Because the abort state of the overall fetch operation is observable to the script, the downloadTotal limit can be used as an "oracle" to determine whether a cross-origin resource's size is above or below a specific threshold. This allows an origin to leak the size of resources it should not have access to.
Comparison with Precedents
This information leak is analogous to the vulnerability recently addressed in the Fetch API (cf. crbug.com/474435504), where handling of specific status codes for opaque responses provided a side-channel for resource size detection. In that case, the fix involved ensuring symmetric behavior for such responses to eliminate the observable difference.
Proposed Solution
The specification and implementations should ensure that cross-origin resource failures (such as CORS violations) do not impact the overall state of a background fetch in an observable way.
We recommend refining the abortion logic so that if a fetch would be aborted due to a downloadTotal violation by a cross-origin resource, the failure is either handled silently or the error state is masked to prevent size-based side-channel attacks.
There appears to be a discrepancy between the Background Fetch specification's enforcement of
downloadTotaland the requirements for cross-origin resource isolation. Current behavior may allow for XS-Leaks (Cross-Site Leaks) regarding the size of cross-origin resources.Observable Side-Channel via downloadTotal
The specification defines a mechanism where the total bytes downloaded across all records are monitored against a
downloadTotallimit. If this limit is exceeded by any single record, the entire background fetch operation is aborted through theabort all flag.The privacy issue arises because cross-origin resources contribute to this total count before a final CORS check is concluded. Because the abort state of the overall fetch operation is observable to the script, the
downloadTotallimit can be used as an "oracle" to determine whether a cross-origin resource's size is above or below a specific threshold. This allows an origin to leak the size of resources it should not have access to.Comparison with Precedents
This information leak is analogous to the vulnerability recently addressed in the Fetch API (cf. crbug.com/474435504), where handling of specific status codes for opaque responses provided a side-channel for resource size detection. In that case, the fix involved ensuring symmetric behavior for such responses to eliminate the observable difference.
Proposed Solution
The specification and implementations should ensure that cross-origin resource failures (such as CORS violations) do not impact the overall state of a background fetch in an observable way.
We recommend refining the abortion logic so that if a fetch would be aborted due to a
downloadTotalviolation by a cross-origin resource, the failure is either handled silently or the error state is masked to prevent size-based side-channel attacks.