W3C home > Mailing lists > Public > public-web-perf@w3.org > April 2011

[NavigationTiming] navigationStart in Cross-origin redirects

From: Zhiheng Wang <zhihengw@google.com>
Date: Mon, 4 Apr 2011 10:37:50 -0700
Message-ID: <BANLkTimaqW-C4LU7+35_faZ70A5xYajn1g@mail.gmail.com>
To: public-web-perf <public-web-perf@w3.org>
  The current NavigationTiming
spec<http://w3c-test.org/webperf/specs/NavigationTiming/>enforces the
same-origin policy over information regarding redirection,
including redirectStart,
redirectEnd and redirectCount (and hence navigationStart when there is
redirect). This is supposed to be a conservative step to
prevent the final page from estimating the timings of pages of other origin,
which could be potential privacy issue
The decision is recorded in
the topic has been discussed in
[5] <http://lists.w3.org/Archives/Public/public-web-perf/2010Oct/0031.html>.

   After chatting with some developers, omitting part of the redirect
latency leaves latency measurement unusable in some common
cases such as the 301 redirect form a TLD to its www domain (w3c.org to
www.w3c.org for example). And there is currently
no obvious way to capture it with js clients. This seems to be a let-down
consider the NavigationTiming spec was started to solve
the exact problem in non-redirect cases.

   Meanwhile, by timing iframe loading time and other techniques,
a malicious page can already estimate the time it takes to load a page
including HTTP redirects so exposing navigationStart doesn't make it worse
in terms of user privacy
I would propose
to lift the SOP constraint on navigationStart in case of redirect.

   Thoughts and comments?

   On a related note, I can't think of a real-life example where domain A
redirects to domain B while exposing the redirect time and count on
domain A is harmful, given that only HTTP redirects are considered here. Any
one can provide a case for it? We should include it in the


[2] http://lists.w3.org/Archives/Public/public-web-perf/2010Oct/0068.html
[3] http://lists.w3.org/Archives/Public/public-web-perf/2010Oct/0027.html
[4] http://lists.w3.org/Archives/Public/public-web-perf/2010Oct/0066.html
[5] http://lists.w3.org/Archives/Public/public-web-perf/2010Oct/0031.html
Received on Monday, 4 April 2011 17:38:21 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:04:30 UTC