On Thu, Dec 12, 2013 at 5:48 PM, Aaron Heady (BING AVAILABILITY) < aheady@microsoft.com> wrote: > Nic, > > > > Thanks for digging this up. This is a very common blocker to features. > What group is trying to come up with a better security model to address > cross origin data sharing? > This was discussed in the previous thread, and the only security related objection was for cross-domain resources (so same-domain byte size info was considered safe). As Ilya stated, ResourceTiming is only enabled for cross domain origins that have opted-in, so it's not certain that byte size info imposes a large risk there (and if so, timing info can heuristically expose the same data). Adding Jonas, which expressed these security concerns last time around. > > Thanks, > > > > Aaron > > > > > > *From:* Nic Jansma [mailto:nic@nicj.net] > *Sent:* Wednesday, December 11, 2013 7:37 PM > *To:* Reitbauer, Alois; Yoav Weiss; James Graham > > *Cc:* public-web-perf > *Subject:* Re: detecting connection speed > > > > One of the reasons ResourceTiming v1 didn't expose bytes transferred was > due to cross-origin security concerns, eg. detecting if a user had already > downloaded a known image from a separate site mybank.com. I would assume > that is still a security concern, and it may limit the usefulness for some > of the use-cases presented if they involve other origins. > > > I hadn't seen cross-origin limitations brought up, so I wanted to make > sure everyone that was discussing this was aware of the issue. > > Here's a thread from last year that discussed byte-size a bit: > http://lists.w3.org/Archives/Public/public-web-perf/2013Jan/0000.html > > - Nic > > http://nicj.net/ > > @NicJ > >
Received on Thursday, 12 December 2013 17:12:03 UTC