RE: Re: add "networkDuration" to Resource Timing from Aaron Heady (BING AVAILABILITY) on 2015-01-07 (public-web-perf@w3.org from January 2015)

From: Aaron Heady (BING AVAILABILITY) <aheady@microsoft.com>
Date: Wed, 7 Jan 2015 16:51:01 +0000
To: Ryan Pellette <ryan@catchpoint.com>, "public-web-perf@w3.org" <public-web-perf@w3.org>
Message-ID: <BN1PR03MB1371E55220733FA2C5180AFD1460@BN1PR03MB137.namprd03.prod.outlook.com>

The specifics are in http://www.w3.org/TR/resource-timing/#privacy-security. It's trying to prevent sites from being able to determine what other sites you've visited.
6 Privacy and Security

This section is non-normative.

The PerformanceResourceTiming<http://www.w3.org/TR/resource-timing/#performanceresourcetiming> interface exposes timing information for a resource to any web page that has included that resource. To limit the access to the PerformanceResourceTiming<http://www.w3.org/TR/resource-timing/#performanceresourcetiming> interface, the same origin<http://www.w3.org/TR/resource-timing/#same-origin> policy is enforced by default and certain attributes are set to zero, as described in Section 4.5 Cross-origin Resources<http://www.w3.org/TR/resource-timing/#cross-origin-resources>. Resource providers can explicitly allow all timing information to be collected for a resource by adding the Timing-Allow-Origin<http://www.w3.org/TR/resource-timing/#timing-allow-origin> HTTP response header, which specifies the domains that are allowed to access the timing information.

Statistical fingerprinting is a privacy concern where a malicious web site may determine whether a user has visited a third-party web site by measuring the timing of cache hits and misses of resources in the third-party web site. Though the PerformanceResourceTiming<http://www.w3.org/TR/resource-timing/#performanceresourcetiming> interface gives timing information for resources in a document, the cross-origin restrictions<http://www.w3.org/TR/resource-timing/#cross-origin-resources> prevent making this privacy concern any worse than it is today using the load event on resources to measure timing to determine cache hits and misses.





From: Ryan Pellette [mailto:ryan@catchpoint.com]
Sent: Tuesday, January 6, 2015 11:07 AM
To: public-web-perf@w3.org
Subject: Re: add "networkDuration" to Resource Timing

Steve, thanks for posting about this issue and leading the charge to change to the specification. I completely agree - it is a big limitation.
The networkDuration is a great addition, but how about getting this further and removing the Timing-Allow-Origin header requirement? The data the API provides does not contain any private data about the end user or the URL, or the interaction between the two, so what is it really protecting?

Received on Wednesday, 7 January 2015 16:51:36 UTC