Re: [Resource Timing]Statements about cross-origin redirect should be more clearly from James Simonsen on 2013-04-09 (public-web-perf@w3.org from April 2013)

From: James Simonsen <simonjam@chromium.org>
Date: Tue, 9 Apr 2013 13:49:46 -0700
To: "Deng, Pan" <pan.deng@intel.com>
Cc: Jatinder Mann <jmann@microsoft.com>, "public-web-perf@w3.org" <public-web-perf@w3.org>
Message-ID: <CAPVJQin9gdPt1MYWa7RFuCcofiAsgse2u0HyX7pG1gt-CAnuWQ@mail.gmail.com>

Sounds good to me. The important thing is that each redirect must allow the
document's origin.

The only question is what to do if R2 disallows and the rest allow. Should
we include R3 in redirectStart/End or just leave those fields permanently
zeroed out? Is there any risk in revealing where in the chain the
cross-origin redirect may have occurred?

James


On Mon, Apr 1, 2013 at 2:10 AM, Deng, Pan <pan.deng@intel.com> wrote:

>  Retrieve this thread as it is cold.****
>
> I think the proposed clarification will clear the usage for browser/web
> developer, and it won’t change intended meaning of Resource Timing spec,
> any comments? J****
>
> ** **
>
> Thanks****
>
> Pan****
>
> ** **
>
> *From:* Deng, Pan [mailto:pan.deng@intel.com]
> *Sent:* Monday, February 04, 2013 5:12 PM
> *To:* public-web-perf@w3.org
> *Subject:* [Resource Timing]Statements about cross-origin redirect should
> be more clearly****
>
> ** **
>
> In Section 4.3 about ‘redirectStart’, ‘redirectEnd’, CR doc[1]says: "if
> any of the redirects are not from the same origin as the current document,
> and the Timing-Allow-Origin HTTP response header rules are met, this
> attribute must return ……"****
>
> What is the meaning of "Timing-Allow-Origin HTTP response header rules are
> met"?****
>
> Consider scenario: doc D req R1 -> R2 -> R3 -> R4. ( "->" : redirect, R4
> is the final resource)****
>
> It may imply:****
>
> a), Any Ri’s response timing-allowing-origin D. (apply to any Ri and doc D)
> ****
>
> b), R1’s response timing-allow-origin D, R2’s response timing allow R1…
> till R4’s response timing allow R3. (apply to redirect chain)****
>
> ** **
>
> From timing-allow-check algorithm in [2], it can be inferred that a) is
> the right one.****
>
> However, Processing Model 3.19a of [1] says “If the current resource and
> the resource that is redirected to are not from the same origin, set
> redirectStart and redirectEnd to 0”. Here redirectStart/End should be reset
> once there is a cross-origin redirect, without Timing-Allow-Origin
> consideration at all, is it a typo here?****
>
> ** **
>
> To make the spec more clearly, I suggest a small modification to avoid the
> inconsistency:****
>
> Statement in section 4.3 can be modified to “if any of the redirects are
> not from the same origin as the current document, and the
> Timing-Allow-Origin HTTP response header rules are met by current document”,
> ****
>
> and Processing Model 3.19a can be modified to “current resource and the
> document are not from same origin, and Timing-Allow-Origin HTTP response
> header rule is not met by the document, set redirectStart and redirectEnd
> to 0”.****
>
> Any idea?****
>
> ** **
>
> Thanks J****
>
> Pan****
>
> ** **
>
> [1] http://www.w3.org/TR/2012/CR-resource-timing-20120522/****
>
> [2]
> https://dvcs.w3.org/hg/webperf/raw-file/tip/specs/ResourceTiming/Overview.html#timing-allow-check
> ****
>
> ** **
>

Received on Tuesday, 9 April 2013 20:50:15 UTC