- From: arturjanc <notifications@github.com>
- Date: Thu, 07 Nov 2019 01:26:49 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 7 November 2019 09:26:53 UTC
Re: timing same-origin redirects, this is already possible so I don't think there's any danger if TAO isn't required to expose timing information in this case. For example, you can time the redirect via Fetch's `redirect: 'manual'` ([example](https://arturjanc.com/time-same-origin-redirect.html)) or by CSP's `SecurityPolicyViolationEvent` if you issue a cross-origin redirect that violates your policy. Even if this wasn't possible, I don't think the risk of timing is comparable to the risk of directly exposing the `Location` value. So, basically, exposing timing information for all same-origin requests doesn't seem particularly scary to me (or, scary at all). -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/955#issuecomment-550996339
Received on Thursday, 7 November 2019 09:26:53 UTC