Re: [ResourceTiming] "timing allow check" steps depend on underdefined behavior

Hi Boris,
As listed in step 8 of the processing model, the timing_allow_check is not
performed for same origin fetches. The check is only performed for CORS
fetches where the Origin header is present.

Please let me know if I missed your point.

Arvind



On Mon, May 5, 2014 at 8:12 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:

> Specifically, this step:
>
>   If the value of Timing-Allow-Origin is not a case-sensitive match for
>   the value of the Origin header [IETF RFC 6454], return fail and
>   terminate this algorithm.
>
> says to fail and terminate for any response for which an Origin header was
> not sent, as far as I can tell.  And nothing really defines when an Origin
> header is sent, except for CORS fetches.
>
> I assume the language currently in the spec is not the actual intent, but
> if so the spec needs to say what it actually means to say here...
>
> -Boris
>
>

Received on Wednesday, 7 May 2014 14:14:24 UTC