Re: [NavigationTiming] navigationStart in Cross-origin redirects

On Mon, 04 Apr 2011 19:37:50 +0200, Zhiheng Wang <>  

>    Meanwhile, by timing iframe loading time and other techniques,
> a malicious page can already estimate the time it takes to load a page
> including HTTP redirects so exposing navigationStart doesn't make it  
> worse
> in terms of user privacy
> [4]<>.
> So
> I would propose
> to lift the SOP constraint on navigationStart in case of redirect.
>    Thoughts and comments?

I cannot immediately think of any reasons we have to block  
navigationStart, so should be fine with me.

>    On a related note, I can't think of a real-life example where domain A
> redirects to domain B while exposing the redirect time and count on
> domain A is harmful, given that only HTTP redirects are considered here.  
> Any one can provide a case for it? We should include it in the
> spec.

Many sites will redirect a visitor differently depending on the user being  
logged in/having a cookie or not. There might be one extra redirection  
step to set a cookie, even before a site redirects a visitor to the final  
destination. The presence of the extra redirection step will leak  
information about a user's history. Exact redirect timings will also  
reveal if any DNS information is cached.

Sigbjørn Vik
Quality Assurance
Opera Software

Received on Tuesday, 5 April 2011 10:23:45 UTC