Consider Same-Origin Policy Relaxation Leaks (XSSI) as XS-Leaks?

[manuelvsousa]

We excluded a group of Leaks that abuse certain discrepancies in dynamic JS/CSS Resources and properties of Images. Some of these attacks are:

• Detect a a CSS resource changed in two different states Ref 1, Ref 2
• Check the height and width of an image in two different states Ref 1
• Check JS file changes in two different states (global vars, mutations) Ref 1, Ref 2
• Same for media/audio files

Although there is no formal definition of XS-Leaks to exclude a vulnerability that actually leaks something cross-site, I believe it's debatable whether these leaks should be included in this wiki. Mostly, as their primary characteristic if pretty much the same as XSSI and differ (in the principle) from most of the XS-Leaks in this wiki, which in a way circumvent the Same-Origin Policy.

Some things to think about:

• In this scenario attackers don't have direct access to secrets (like in simple XSSI?), they can, however, infer them based on the contents they legitimately can access. In these cases, the SOP is relaxed (as intended).
• Can we see XS-Leaks as a group of vulnerabilities whose principle diverged from common vulnerabilities? Is the circumvention of the SOP a thing they all have in common?

The defense perspective has mostly two outcomes:

• Applications completely stop the delivery of dynamic JS/CSS/Img
• Applications limit who has access to such resources (which origins). The only solution that might really help here is Fetch-Metadata.

My final conclusion is: I would say that their principle is the same as XSSI (they are XSSI vulnerabilities), and since XSSI have their own league, it seems redundant to drag them here.