Accounting with encodedBodySize doesn't work with SDCH

[csharrison]

A malicious iframe can request tiny resources that advertise huge dictionaries. Unless we data account those dictionaries, the frame can use the huge dictionaries as an effective way to bypass data accounting.

Counting SDCH downloads to a particular frame has a complex implementation cost in Chromium. Do we think we can move encodedBodySize to decodedBodySize to fix this bug?

[igrigorik]

Didn't we deprecate SDCH? Is this still relevant?

[jkarlin]

Chrome has deprecated it. Not sure about others. Brotli may run into a similar issue in the future.

[igrigorik]

AFAIK, so has everyone else: https://www.chromestatus.com/feature/5763176272494592.

I agree that there will be edge cases to consider here with any form of shared dictionary / delta compression mechanisms. However, none of those are well formed yet.. I propose we close this and tackle that when it actually starts to smell like a real thing? :)

[jkarlin]

sgtm