Privacy and Security section should mention that a user agent may choose to not expose cross-origin PerformanceServerTiming entries even with TAO #89
Comments
|
(This is intended to be discussed at TPAC 2022) |
|
Can you clarify if you're considering CORS same origin (cross origin with a |
|
I'm not considering CORS same origin, though you are correct that CORS resources can already pass arbitrary information. |
|
Motivating example from my slides at TPAC:
With server timing, example1.com can now send unique identifiers to example2.com without modifying any content |
|
Thanks for the concrete example! This makes discussing this significantly easier! So, we have Given that both |
|
It is indeed possible for example1.com to modify its content, but this is to increase the privacy when example1.com does not modify its content, which is quite common on the web. |
|
@achristensen07 IIUC the HTML resource's origin (which is the one you're concerned doesn't modify its content) is neither |
|
@jeremyroman You understand correctly. |
|
This was discussed at TPAC, and there was agreement we can allow such UA liberties in the spec. @achristensen07 - interesting in PRing something here? |
|
I can make a PR. |
…erTiming even with the presence of TAO header fields. This resolves w3c#89
…erTiming even with the presence of TAO header fields. This resolves w3c#89
…erTiming even with the presence of TAO header fields. This resolves w3c#89
Concerns about using server timing for tracking have prevented us from enabling PerformanceServerTiming in WebKit. If we limited it to same-origin even when TAO headers may be present, that would help us enable it.
The text was updated successfully, but these errors were encountered: