Review of Resource Timing L1 (webperf) from Ilya Grigorik on 2016-05-31 (public-webappsec@w3.org from May 2016)

From: Ilya Grigorik <igrigorik@gmail.com>
Date: Tue, 31 May 2016 12:57:47 -0700
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Cc: Todd Reifsteck <toddreif@microsoft.com>, Philippe Le Hégaret <plh@w3.org>
Message-ID: <CAKRe7JGPLh8Vai4sAPxakShGoB7qCX8V=S2wAwojW9OObaeG8w@mail.gmail.com>

Hey all.

We (WebPerf working group) are working towards publishing Resource Timing
L1 as Candidate Recommendation and looking for a review of the draft:

https://cdn.rawgit.com/w3c/resource-timing/V1/index.html

A quick run through the security questionnaire [1]:

   - 3.1-3-4: No.
   - 3-5: Yes. PerformanceResourceTiming interface exposes detailed timing
   information for fetched resources. This information is available by default
   for same-origin resources and cross origin resources must opt-in via the
   Timing-Allow-Origin header. For full details, see:
      -
      https://cdn.rawgit.com/w3c/resource-timing/V1/index.html#privacy-security
      -
      https://cdn.rawgit.com/w3c/resource-timing/V1/index.html#cross-origin-resources
   - 3.6-3.12: No.
   - 3.13: Yes, see 3.5
   - 3.14-3.15: No.
   - 3.16: Yes:
   https://cdn.rawgit.com/w3c/resource-timing/V1/index.html#privacy-security

   - 3.17: No.

We would appreciate any feedback or questions on any of the above, or any
other aspect of the draft. If you have any comments, we would prefer if you
file them as issues on GitHub [2]. Alternatively, you can email them to
public-web-perf@w3.org.

Thanks!

[1] https://w3ctag.github.io/security-questionnaire/#questions
[2] https://github.com/w3c/resource-timing

Received on Tuesday, 31 May 2016 19:58:55 UTC