- From: Zhiheng Wang <zhihengw@google.com>
- Date: Thu, 21 Oct 2010 10:00:56 -0700
- To: Sigbjørn Vik <sigbjorn@opera.com>
- Cc: public-web-perf@w3.org
- Message-ID: <AANLkTikQ_wkvcCvZbGO+OSFKU6zzwR42y4cJz7fRYwaB@mail.gmail.com>
Hi, Sigbjørn, Great comments. Let me try to give some quick answers below. On Thu, Oct 21, 2010 at 7:46 AM, Sigbjørn Vik <sigbjorn@opera.com> wrote: > Hi > > I had a look through the spec on > http://dvcs.w3.org/hg/webperf/raw-file/tip/specs/NavigationTiming/Overview.htmlwith security glasses, but couldn't see any real issues other than those > which have already been raised. There is a potential privacy issue by > telling a site how the user navigated there (navigation type), but not > serious, see below. > > A couple of other issues where I see some room for confusion though: > > "var latency = now - performance.timing.navigationStart; > alert("User-perceived page loading time: " + latency);" > The JS variable measures network latency+document loading time, so it > should probably be renamed. > > "Without otherwise specified" > *Unless* otherwise specified > > I see the following note: > "Note: The relaxed same orgin policy doesn't provide sufficient protection > against unauthorized visits accross documents. In shared hosting, an > untrusted third party is able to host an HTTP server at the same IP address > but on a different port." > I must have missed this discussion, this is similar to the mail just sent > about cookie domains (here called relaxed same origin). I am not quite sure > I understand what "unauthorized visits accross documents" means? > ah, right, I missed this in the discussion yesterday. cookie domain doesn't work in cases like shared hosting, e.g., I have my web site on my.hosting.com and yours on yours.hotsting.com. We probably don't want to share information between them. > > Navigation types - these seem a bit underspecified. E.g. automatic types > are missing. What about a JS timeout that redirects a user? A window popup? > Meta refresh to reload or move elsewhere? I am not sure if these and friends > should go into type_navigate or type_reserved (or possibly even type_reload > in the case of a meta refresh to self). What does "the reload operation" > refer to (we used to have about 5 different reload operations in Opera, and > still have two exposed in the UI)? Would a better name for type_back_forward > be type_history_navigation? Note that back and forward aren't necessarily > well defined either, instant back, conditional get, and full get might give > three different results. I would consider it none of the site's business to > know how I got there, if the second time I visited it I did it via the same > link as the first time, via the forwards button, or in a new tab. Sometimes > this can be determined through a change in the HTTP headers sent, but apart > from that, this might be information users would like to keep private. Maybe > the types should be defined in terms of which HTTP headers the browser sent > instead? If-modified-since = conditional, cache-control:no-cache/maxage=0 = > reload, neither = fresh, none (e.g. instant back or reload from cache) = the > same as last time - that way we aren't revealing anything to the server > which the server doesn't already know, and the types might be more useful > for a site developer. A back navigation could be either one of the above, > depending on circumstances, and that doesn't seem very telling for the > developer. > Navigation type provides some background information on data analysis. Say, a back/forward page usually loads much faster than a normal navigation. Fastback is a particular interesting case, where we propose that the existing timing information should not be changed since there is no navigation. > > That brings up another question, are meta refreshes counted as redirects? > Only if the timeout is 0? (The spec says HTTP redirect <or equivalent>, but > the link only defines transport level equivalencies, it doesn't say anything > about document redirects. Though I would define a meta refresh with a 0 > timeout as functionally equivalent to a HTTP redirect.) What about JS which > redirects immediately? To be useful to developers, any kind of redirects > should be counted (including the page which detects if JS is enabled, and > redirects elsewhere based on that), but that could be troublesome to > implement. A clarification in the spec would be good though, "redirect" is > used multiple places, but not explicitly defined anywhere. > Right now only server side redirect is counted, i.e., no meta/JS refresh. We can have more discussion here. > > "If no domain lookup is required, go to step 11. Otherwise, immediately > before a user agent starts the domain name lookup, record the time as > domainLookupStart." > This gets confusing in the case of a half-finished DNS prefetch. I will fix other comments and post an update. thanks, Zhiheng > > > -- > Sigbjørn Vik > Quality Assurance > Opera Software > > > On Fri, 15 Oct 2010 20:46:30 +0200, Anderson Quach <aquach@microsoft.com> > wrote: > > Hi All, >> >> We're calling for input on a matter of privacy concerns with Navigation >> Timing. The follow attributes are being vetted to understand the threat with >> exposing Navigation Timing [1] attributes that can reveal to an attacking >> site what an end-user is doing in a particular session. >> >> (Please see the attached png for a visual representation of the timeline) >> >> navigationStart >> The issue with this timing marker is that it reveals the absolute start >> point of the navigation, which may include the timing phase associated with >> redirection and the time spent in the unload event. >> >> redirectStart >> redirectEnd >> After committing the navigation, the previous page (a.com) may perform >> redirections when navigating to the target/current page (b.com). Thus, >> b.com has access to specific timing information that is associated with >> redirections of a.com. >> >> redirectCount >> This attribute is related to redirectStart and redirectEnd, revealing the >> number of redirects while navigating from a.com to b.com. Thus, the >> target/current page (b.com) has access to the number of redirections >> associated with previous page (a.com). >> >> unloadEventStart >> unloadEventEnd >> After committing the navigation, the previous page (a.com) may have an >> unload event handler while navigating to the target/current page (b.com). >> Thus, b.com has access to how long a.com's unload handler took to >> execute. >> >> [1] >> http://dvcs.w3.org/hg/webperf/raw-file/tip/specs/NavigationTiming/Overview.html >> >> Thanks, >> Anderson Quach >> IE Program Manager >> > > > -- > Sigbjørn Vik > Quality Assurance > Opera Software > >
Received on Thursday, 21 October 2010 17:01:42 UTC