- From: Zhiheng Wang <zhihengw@google.com>
- Date: Wed, 13 Apr 2011 11:02:32 -0700
- To: Nic Jansma <Nic.Jansma@microsoft.com>
- Cc: "public-web-perf@w3.org" <public-web-perf@w3.org>
- Message-ID: <BANLkTinNUoZx9PoXa7xmg-+j8B35QxT01A@mail.gmail.com>
Some updates about "NavigationTiming navigationStart in cross-origin redirected navigations". After discussing with the security team here, the conclusion so far is that the security concerns associated with not zeroing out a different-origin navigationStart are outweighed by the benefits to legitimate web developers of having the data. * There could be some privacy leak by exposing navigationStart but existing techniques can already obtain similar info. * Related to exploiting cross-site request forgery, the availability of the timing info is the least of the user's problem. And the timing info doesn't further enable the success of the attack itself. In short, we can lift the same-origin constrain on navigationStart. cheers, Zhiheng On Tue, Apr 12, 2011 at 3:21 PM, Nic Jansma <Nic.Jansma@microsoft.com>wrote: > Below is the proposed agenda for Wednesday’s meeting. Please reply with > additional topics. > > > > Zakim Bridge Numbers: > +1.617.761.6200, +33.4.26.46.79.03 and +44.203.318.0479. > Passcode 97373 (WPERF) > > IRC channel #webperf on irc.w3.org:6665 http://irc.w3.org/ > > Teleconference Time and Length (60min): 3-4PM EST/1-2PM PST > > > > 1. NavigationTiming Test updates > > 2. NavigationTiming navigationStart in cross-origin redirected > navigations > > 3. NavigationTiming wall-clock time > > 4. Feedback on 4/5 updates to Resource Timing > > 5. Feedback on Unified Timing Proposal > > 6. Discussion on User Timing > > 7. Any other business > > > > Thanks, > > Nic >
Received on Wednesday, 13 April 2011 18:02:57 UTC