Re: [whatwg/fetch] Add TAO check (#955) from Yoav Weiss on 2019-11-07 (public-webapps-github@w3.org from November 2019)

From: Yoav Weiss <notifications@github.com>
Date: Wed, 06 Nov 2019 18:02:36 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/955/review/313071950@github.com>

yoavweiss commented on this pull request.



> @@ -1800,6 +1805,15 @@ initially unset.
 being provided to an API that didn't make a range request. See the flag's usage for a detailed
 description of the attack.
 
+<p>A <a for=/>response</a> has an associated
+<dfn for=response id=concept-response-timing-allow-failed-flag>timing allow check flag</dfn>, which
+is initially unset.
+
+<p class=note>This is used so that the caller to a fetch can determine if sensitive timing data is

Interesting! Did we have requests to expose TAO availability to JS? Or is it just a "let's expose it because we can and it's cheap"?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/955#pullrequestreview-313071950

Received on Thursday, 7 November 2019 02:02:38 UTC