[NavigationTiming] navigationStart in Cross-origin redirects from Zhiheng Wang on 2011-04-04 (public-web-perf@w3.org from April 2011)

From: Zhiheng Wang <zhihengw@google.com>
Date: Mon, 4 Apr 2011 10:37:50 -0700
To: public-web-perf <public-web-perf@w3.org>
Message-ID: <BANLkTimaqW-C4LU7+35_faZ70A5xYajn1g@mail.gmail.com>

  The current NavigationTiming
spec<http://w3c-test.org/webperf/specs/NavigationTiming/>enforces the
same-origin policy over information regarding redirection,
including redirectStart,
redirectEnd and redirectCount (and hence navigationStart when there is
redirect). This is supposed to be a conservative step to
prevent the final page from estimating the timings of pages of other origin,
which could be potential privacy issue
[1]<http://www.google.com/url?sa=t&source=web&cd=1&ved=0CBQQFjAA&url=http%3A%2F%2Fciteseerx.ist.psu.edu%2Fviewdoc%2Fdownload%3Bjsessionid%3DEF781B549688C8151992AAEDA34192A6%3Fdoi%3D10.1.1.32.6864%26rep%3Drep1%26type%3Dpdf&ei=PrqXTdOYHoa4sQOd5ZTYBQ&usg=AFQjCNGfhjELwdlpuEs8pl4QHLbIeTUXYA&sig2=lvuu8X5S9GSuzfpKwNzWcQ>
.
The decision is recorded in
[2]<http://lists.w3.org/Archives/Public/public-web-perf/2010Oct/0068.html>
and
the topic has been discussed in
[3]<http://lists.w3.org/Archives/Public/public-web-perf/2010Oct/0027.html>
[5] <http://lists.w3.org/Archives/Public/public-web-perf/2010Oct/0031.html>.

   After chatting with some developers, omitting part of the redirect
latency leaves latency measurement unusable in some common
cases such as the 301 redirect form a TLD to its www domain (w3c.org to
www.w3c.org for example). And there is currently
no obvious way to capture it with js clients. This seems to be a let-down
consider the NavigationTiming spec was started to solve
the exact problem in non-redirect cases.

   Meanwhile, by timing iframe loading time and other techniques,
a malicious page can already estimate the time it takes to load a page
including HTTP redirects so exposing navigationStart doesn't make it worse
in terms of user privacy
[4]<http://lists.w3.org/Archives/Public/public-web-perf/2010Oct/0066.html>.
So
I would propose
to lift the SOP constraint on navigationStart in case of redirect.

   Thoughts and comments?

   On a related note, I can't think of a real-life example where domain A
redirects to domain B while exposing the redirect time and count on
domain A is harmful, given that only HTTP redirects are considered here. Any
one can provide a case for it? We should include it in the
spec.

cheers,
Zhiheng



[1]
http://www.google.com/url?sa=t&source=web&cd=1&ved=0CBQQFjAA&url=http%3A%2F%2Fciteseerx.ist.psu.edu%2Fviewdoc%2Fdownload%3Bjsessionid%3DEF781B549688C8151992AAEDA34192A6%3Fdoi%3D10.1.1.32.6864%26rep%3Drep1%26type%3Dpdf&ei=PrqXTdOYHoa4sQOd5ZTYBQ&usg=AFQjCNGfhjELwdlpuEs8pl4QHLbIeTUXYA&sig2=lvuu8X5S9GSuzfpKwNzWcQ
[2] http://lists.w3.org/Archives/Public/public-web-perf/2010Oct/0068.html
[3] http://lists.w3.org/Archives/Public/public-web-perf/2010Oct/0027.html
[4] http://lists.w3.org/Archives/Public/public-web-perf/2010Oct/0066.html
[5] http://lists.w3.org/Archives/Public/public-web-perf/2010Oct/0031.html

Received on Monday, 4 April 2011 17:38:21 UTC