[minutes] 20101020 Web Performance

Available at:

Web Performance Working Group Teleconference #06
20 Oct 2010
See also: IRC Log

Biesi, AndersonQuach, Zhiheng, NicJansma, Sigbjorn
PLH, JasonWeber
ArvindJain, JasonWeber

*         Feedback on Privacy Issue w/ Navigation Timing.

*         Next steps to getting Navigation Timing to draft.

*         Getting started with Resource Timing and User Timing.

*         Any other business.


Zhiheng: TonyG has gone thru security review with the Chrome team, suggestions include zero'ing out redirectCount in different origin navigations in the timeline, and to provide a means to disable the interface completely
AndersonQuach: Sounds good, as long as the disable via UI is a non-normative requirement.
Sigborn: We must be safe by default. The timings that reveal off-domain must not be available programmatically.
<scribe> scribe: AndersonQuach
AndersonQuach: It can be feasible to attack with the same origin and a redirect service. We could remove redirectCount altogether.
... And disable redirect and unloading timings for different origin.
Zhiheng: We need to hear more feedback from user-agent and security experts about the removal of redirectCount
... where is navigationStart?
Sigborn: What is same domain, same cookie domain?
Zhiheng: Same host
Sigborn: Cookie domain, sub domains of yahoo.com
AndersonQuach: where did we land with navigationStart
NicJansma: A->B->A->A, navigationStart should begin immediately prior the second A
... for same domain with different origin redirections
Zhiheng: need to look to clarify navigationStart and redirectStart
AndersonQuach: Zhiheng, can you capture your thoughts and we'll get feedback from Jonas and TonyG?
NicJansma: Anderson and I will follow-up with additional feedback from our security review via mail and for the next meeting.
Sigborn: Should make the same domain be the same as the cookie domain, I will write it up.
AndersonQuach: Let's move the spec to a working draft as all the latest feedback has been incorporated.
... Let's be explicit that this is not a user-agent benchmark.
Sigborn: Let's say due to the non-normative phases, the individual phases should not be used as a benchmark.
AndersonQuach: Agreed.
... Let's simplify the accessing of the ResourceTiming
... Let's say have a fixed buffer of 1000, have the ability to clear the buffer, and to expand the buffer to cater to WebApps.
Zhiheng: We don't want developers to crawl the page.
AndersonQuach: Agreed, we should have the timing centralized.
Zhiheng: Yup, the object should be easily serialized into a JSON object.
... How can a developer get the timing about a specific image?
NicJansma: Timing of a specific image?
Zhiheng: Yes.
NicJansma: ResourceTiming can have the URL and potentially the id and provide a means to filter based on type and/or id.
... Goal for ResourceTiming to get timing that is inaccessible to JS.
... We should keep in mind to be able to get the timing for individual elements and the collection.
Zhiheng: Come up with a short summary proposal and review the proposals.
AndersonQuach: I can write that out.
Zhiheng: ResourceTiming has privacy concern as well. To have an HTML header to turn this on.
... implement the allow policy in the http header.
Sigborn: This is possible but difficult to implement as seen in other W3C discussions.
NicJansma: For different origin we can reduce the amount of details, just having fetchStart -> loadEventEnd, not providing additional info via JS. Provide total time to load the content.
Sigborn: Expand definition of Same Origin to include Same Cookie Domain + Sub Domain.
AndersonQuach: 1. We agree to move spec to working draft.
... 2. Discuss privacy offline, feedback from Tony and Jonas.
... 3. Zhiheng will provide a proposal for navigationStart.
... 4. Anderson will respond with the simplified resource timing proposal.
... Thanks everyone for meeting!

Received on Wednesday, 20 October 2010 18:34:27 UTC