-
Notifications
You must be signed in to change notification settings - Fork 150
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide clear guidelines for what Timing-Allow-Origin
should expose
#664
Comments
I think 3 is okay, but note that would make |
For |
It is handled by fetch internally (and at the moment you cannot configure yourself out of that), but it is very much a property of the resource. |
A while ago we talked about something similar in the context of the My simplified mental model of what we landed on is that setting CORP (or, specifically setting CORP Extending this logic to TAO, I think it would make sense for it to give access to information related to loading of the resource (e.g. timestamps/durations and potentially cache status), but not the metadata of the resource (such as Content-Type, status code, etc). This seems similar to @annevk's conclusion above, except that I'm less sure about not exposing OTOH it would a bit strange if |
Note that TAO already exposes non-timing information about the resource, e.g. @annevk Regarding |
Pretty sure all |
Yea, (2) is a subset of (3). It's limited to the fetch, and within that only to things that are particularly related to timing. |
Timing-Allow-Origin
(defined in the fetch spec) is a header that signals the user agent that particular timing-related characteristics of fetching a resource should be visible to the requesting origin, irrespective of whether it was requested via CORS.Since its inception, several new additions were proposed to resource timing, and more often than not it was unclear whether this opt-in is a sufficient signal that it's OK to expose this particular bit of information.
Those so far include exposing
content-type
, the status code, andcontent-encoding
(see w3c/resource-timing#411 and whatwg/fetch#1796 for the latter).With each of these, and potentially with future additions in mind, we would like to have a clear general guidelines of what is "OK" to expose for cross-origin resources that are served with the appropriate
Timing-Allow-Origin
header, what requires CORS, and what has to be same-origin.There are roughly three ways to go about it (from conservative to relaxed)
Timing-Allow-Origin
can expose, as to not overload new meanings on old opt-ins.Timing-Allow-Origin
can expose only values that are specifically timing values, as in durations and timestamps.Timing-Allow-Origin
can expose anything that is information about the fetch, but is not information about the resource itself. i.e., if the response was cached and retrieved in a service worker you'd get a different result.Would love to have some collective thoughts about it and reach a guideline before we ship anything new in resource timing.
/cc @yoavweiss @annevk @achristensen07 @camillelamy @arturjanc @ddworken
The text was updated successfully, but these errors were encountered: