RE: [Resource Timing]Statements about cross-origin redirect should be more clearly from Jatinder Mann on 2013-04-10 (public-web-perf@w3.org from April 2013)

From: Jatinder Mann <jmann@microsoft.com>
Date: Wed, 10 Apr 2013 16:28:32 +0000
To: "Deng, Pan" <pan.deng@intel.com>, James Simonsen <simonjam@google.com>
CC: "public-web-perf@w3.org" <public-web-perf@w3.org>
Message-ID: <e821d2f82cc54aabb67cf0fe1a40ccd7@BLUPR03MB065.namprd03.prod.outlook.com>
I'll specify a redirection-origin-clean flag in the processing model to help make this clear.

Thanks,
Jatinder

From: Deng, Pan [mailto:pan.deng@intel.com]
Sent: Tuesday, April 9, 2013 7:46 PM
To: James Simonsen; Jatinder Mann
Cc: public-web-perf@w3.org
Subject: RE: [Resource Timing]Statements about cross-origin redirect should be more clearly

Agree, it's more strict than "if the value of redirectStart is not set".

Pan


From: James Simonsen [mailto:simonjam@google.com]
Sent: Wednesday, April 10, 2013 8:09 AM
To: Jatinder Mann
Cc: Deng, Pan; public-web-perf@w3.org<mailto:public-web-perf@w3.org>
Subject: Re: [Resource Timing]Statements about cross-origin redirect should be more clearly

Works for me.

I think we need to make some more changes to 3.19 in the processing model to clarify that though. We should have a "flag" in the processing model that indicates redirectStart/End have been cleared. If that flag is set, we should never proceed to 3.19b, even if this particular redirect is allowed.

James

On Tue, Apr 9, 2013 at 4:53 PM, Jatinder Mann <jmann@microsoft.com<mailto:jmann@microsoft.com>> wrote:
Based on the current spec text, seems like the behavior we had agreed upon in the past was that if any of the redirects are not of the same origin as the current document and if any of them do not pass the timing allow check algorithm, we will zero out the redirectStart and redirectEnd attributes. I think the idea here is that either we give the true redirection time or we give a zero'd out time. If we give a partial value, it may not be clear that this isn't the true redirection time.

Thanks,
Jatinder

From: James Simonsen [mailto:simonjam@chromium.org<mailto:simonjam@chromium.org>]
Sent: Tuesday, April 9, 2013 1:50 PM
To: Deng, Pan
Cc: Jatinder Mann; public-web-perf@w3.org<mailto:public-web-perf@w3.org>
Subject: Re: [Resource Timing]Statements about cross-origin redirect should be more clearly

Sounds good to me. The important thing is that each redirect must allow the document's origin.

The only question is what to do if R2 disallows and the rest allow. Should we include R3 in redirectStart/End or just leave those fields permanently zeroed out? Is there any risk in revealing where in the chain the cross-origin redirect may have occurred?

James

On Mon, Apr 1, 2013 at 2:10 AM, Deng, Pan <pan.deng@intel.com<mailto:pan.deng@intel.com>> wrote:
Retrieve this thread as it is cold.
I think the proposed clarification will clear the usage for browser/web developer, and it won't change intended meaning of Resource Timing spec, any comments? :)

Thanks
Pan

From: Deng, Pan [mailto:pan.deng@intel.com<mailto:pan.deng@intel.com>]
Sent: Monday, February 04, 2013 5:12 PM
To: public-web-perf@w3.org<mailto:public-web-perf@w3.org>
Subject: [Resource Timing]Statements about cross-origin redirect should be more clearly

In Section 4.3 about 'redirectStart', 'redirectEnd', CR doc[1]says: "if any of the redirects are not from the same origin as the current document, and the Timing-Allow-Origin HTTP response header rules are met, this attribute must return ......"
What is the meaning of "Timing-Allow-Origin HTTP response header rules are met"?
Consider scenario: doc D req R1 -> R2 -> R3 -> R4. ( "->" : redirect, R4 is the final resource)
It may imply:
a), Any Ri's response timing-allowing-origin D. (apply to any Ri and doc D)
b), R1's response timing-allow-origin D, R2's response timing allow R1... till R4's response timing allow R3. (apply to redirect chain)

>From timing-allow-check algorithm in [2], it can be inferred that a) is the right one.
However, Processing Model 3.19a of [1] says "If the current resource and the resource that is redirected to are not from the same origin, set redirectStart and redirectEnd to 0". Here redirectStart/End should be reset once there is a cross-origin redirect, without Timing-Allow-Origin consideration at all, is it a typo here?

To make the spec more clearly, I suggest a small modification to avoid the inconsistency:
Statement in section 4.3 can be modified to "if any of the redirects are not from the same origin as the current document, and the Timing-Allow-Origin HTTP response header rules are met by current document",
and Processing Model 3.19a can be modified to "current resource and the document are not from same origin, and Timing-Allow-Origin HTTP response header rule is not met by the document, set redirectStart and redirectEnd to 0".
Any idea?

Thanks :)
Pan

[1] http://www.w3.org/TR/2012/CR-resource-timing-20120522/
[2] https://dvcs.w3.org/hg/webperf/raw-file/tip/specs/ResourceTiming/Overview.html#timing-allow-check
Received on Wednesday, 10 April 2013 16:30:08 UTC