W3C home > Mailing lists > Public > public-web-perf@w3.org > December 2013

Re: detecting connection speed

From: Yoav Weiss <yoav@yoav.ws>
Date: Thu, 12 Dec 2013 18:11:35 +0100
Message-ID: <CACj=BEhsQSt5Zng=i43enz=9v0LyYj_G61KQg=HogVV+UGgv-Q@mail.gmail.com>
To: "Aaron Heady (BING AVAILABILITY)" <aheady@microsoft.com>, Jonas Sicking <jonas@sicking.cc>
Cc: Nic Jansma <nic@nicj.net>, "Reitbauer, Alois" <Alois.Reitbauer@compuware.com>, James Graham <james@hoppipolla.co.uk>, public-web-perf <public-web-perf@w3.org>
On Thu, Dec 12, 2013 at 5:48 PM, Aaron Heady (BING AVAILABILITY) <
aheady@microsoft.com> wrote:

>  Nic,
>
>
>
> Thanks for digging this up. This is a very common blocker to features.
> What group is trying to come up with a better security model to address
> cross origin data sharing?
>

This was discussed in the previous thread, and the only security related
objection was for cross-domain resources (so same-domain byte size info was
considered safe).
As Ilya stated, ResourceTiming is only enabled for cross domain origins
that have opted-in, so it's not certain that byte size info imposes a large
risk there (and if so, timing info can heuristically expose the same data).

Adding Jonas, which expressed these security concerns last time around.


>
> Thanks,
>
>
>
> Aaron
>
>
>
>
>
> *From:* Nic Jansma [mailto:nic@nicj.net]
> *Sent:* Wednesday, December 11, 2013 7:37 PM
> *To:* Reitbauer, Alois; Yoav Weiss; James Graham
>
> *Cc:* public-web-perf
> *Subject:* Re: detecting connection speed
>
>
>
> One of the reasons ResourceTiming v1 didn't expose bytes transferred was
> due to cross-origin security concerns, eg. detecting if a user had already
> downloaded a known image from a separate site mybank.com.  I would assume
> that is still a security concern, and it may limit the usefulness for some
> of the use-cases presented if they involve other origins.
>
>
> I hadn't seen cross-origin limitations brought up, so I wanted to make
> sure everyone that was discussing this was aware of the issue.
>
> Here's a thread from last year that discussed byte-size a bit:
> http://lists.w3.org/Archives/Public/public-web-perf/2013Jan/0000.html
>
>  - Nic
>
> http://nicj.net/
>
> @NicJ
>
>
Received on Thursday, 12 December 2013 17:12:03 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:04:37 UTC