Re: Resource Timing

This seems more restrictive than the same origin policy. IMO any
resource loaded by a document should be visible by that document by
default, regardless of where that resource came from.

If I have an HTML document at http://example.com/ that looks like:

<html>
<body>
<src src="http://otherdomain.com/foo.js"></script>
</body>
</html>

It seems unnecessary to hide the timing information about
http://otherdomain.com/foo.js from my page. I know full well that my
page is trying to load this resource, as it's explicitly declared in
my HTML. This goes for any resource loaded into my document.

Why do you think it is necessary to require the header for resources
loaded in the same document?

On Tue, Aug 24, 2010 at 4:36 PM, Zhiheng Wang <zhihengw@google.com> wrote:
>    I actually did mean "HTML header". :-) HTTP header requires changes to
> the http server configure, which is not always
> feasible for developers.
> thanks,
> Zhiheng
>
> On Tue, Aug 24, 2010 at 1:25 PM, Jason Sobel <jsobel@facebook.com> wrote:
>>
>> I assume you mean an HTTP header? If so, that sounds totally reasonable.
>>
>> Thanks!
>>
>>
>>
>>               --jason
>>
>>
>>
>> From: Zhiheng Wang [mailto:zhihengw@google.com]
>> Sent: Tuesday, August 24, 2010 1:21 PM
>> To: Jason Sobel
>> Cc: Bryan McQuade; public-web-perf@w3.org
>> Subject: Re: Resource Timing
>>
>>
>>
>>    fbcdn.net can set its html header, say "allow-timing-access", to allow
>> facebook.com to access timing information on those resources
>>
>> served from it. That should answer your question?
>>
>>
>>
>> cheers,
>>
>> Zhiheng
>>
>> On Tue, Aug 24, 2010 at 12:37 PM, Jason Sobel <jsobel@facebook.com> wrote:
>>
>> The case I'm mostly worried about is where we (facebook.com) host our
>> static resources on a different domain (fbcdn.net). I'd like some way to
>> allow fbcdn.net to "opt in" to giving timing information to facebook.com. At
>> one point CORS (http://www.w3.org/TR/cors/) was mentioned as a possible
>> solution.
>>
>> I look forward to seeing what you come up with Zhiheng. Thanks!
>>
>>              --jason
>>
>> -----Original Message-----
>> From: Bryan McQuade [mailto:bmcquade@google.com]
>> Sent: Tuesday, August 24, 2010 12:32 PM
>> To: Zhiheng Wang
>> Cc: Jason Sobel; public-web-perf@w3.org
>> Subject: Re: Resource Timing
>>
>> Interesting. Can you expand on the meta header approach?
>>
>> I assume you are referring to a case where a child iframe is on a
>> different origin. In that case it would not be appropriate to leak the
>> timing info for the frame up to the parent. But it sounds like this
>> meta header might allow the child frame to give permission to leak the
>> info to the parent?
>>
>> On Tue, Aug 24, 2010 at 12:49 PM, Zhiheng Wang <zhihengw@google.com>
>> wrote:
>> >     The immediate questions for ResourceTiming is how to maintain
>> > privacy
>> > while exposing those timing information.
>> > So far using meta header on top of the same origin policy seems to be
>> > the
>> > way to start. An update should be available
>> > later this week.
>> > cheers,
>> > Zhiheng
>> >
>> >
>> > On Mon, Aug 23, 2010 at 12:41 PM, Jason Sobel <jsobel@facebook.com>
>> > wrote:
>> >>
>> >> Hey all-
>> >>
>> >> Looks like you're making great progress on navigation timing -- very
>> >> exciting!
>> >>
>> >>
>> >>
>> >> Do you have any thoughts on polishing and implementing resource timing?
>> >> That data is very interesting to us at Facebook so I'm hoping it will
>> >> be
>> >> available in all the major browsers sooner rather than later.
>> >>
>> >>
>> >>
>> >> Thanks much!
>> >>
>> >>
>> >>
>> >>               --jason
>> >>
>> >>
>> >
>>
>>
>

Received on Tuesday, 24 August 2010 20:51:15 UTC