W3C home > Mailing lists > Public > public-web-perf@w3.org > April 2011

Re: [NavigationTiming] navigationStart in Cross-origin redirects

From: Sigbjørn Vik <sigbjorn@opera.com>
Date: Tue, 05 Apr 2011 12:23:24 +0200
To: public-web-perf <public-web-perf@w3.org>
Message-ID: <op.vtgm5ait41y844@id-c0735.oslo.opera.com>
On Mon, 04 Apr 2011 19:37:50 +0200, Zhiheng Wang <zhihengw@google.com>  

>    Meanwhile, by timing iframe loading time and other techniques,
> a malicious page can already estimate the time it takes to load a page
> including HTTP redirects so exposing navigationStart doesn't make it  
> worse
> in terms of user privacy
> [4]<http://lists.w3.org/Archives/Public/public-web-perf/2010Oct/0066.html>.
> So
> I would propose
> to lift the SOP constraint on navigationStart in case of redirect.
>    Thoughts and comments?

I cannot immediately think of any reasons we have to block  
navigationStart, so should be fine with me.

>    On a related note, I can't think of a real-life example where domain A
> redirects to domain B while exposing the redirect time and count on
> domain A is harmful, given that only HTTP redirects are considered here.  
> Any one can provide a case for it? We should include it in the
> spec.

Many sites will redirect a visitor differently depending on the user being  
logged in/having a cookie or not. There might be one extra redirection  
step to set a cookie, even before a site redirects a visitor to the final  
destination. The presence of the extra redirection step will leak  
information about a user's history. Exact redirect timings will also  
reveal if any DNS information is cached.

Sigbjørn Vik
Quality Assurance
Opera Software
Received on Tuesday, 5 April 2011 10:23:45 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:01:07 UTC