- From: Zhiheng Wang <zhihengw@google.com>
- Date: Wed, 13 Apr 2011 11:02:32 -0700
- To: Nic Jansma <Nic.Jansma@microsoft.com>
- Cc: "public-web-perf@w3.org" <public-web-perf@w3.org>
- Message-ID: <BANLkTinNUoZx9PoXa7xmg-+j8B35QxT01A@mail.gmail.com>
Some updates about "NavigationTiming navigationStart in cross-origin
redirected navigations".
After discussing with the security team here, the conclusion so far is
that the security concerns associated
with not zeroing out a different-origin navigationStart are outweighed by
the benefits to legitimate web developers
of having the data.
* There could be some privacy leak by exposing navigationStart but
existing techniques can already obtain similar info.
* Related to exploiting cross-site request forgery, the availability of
the timing info is the least of the user's problem. And
the timing info doesn't further enable the success of the attack
itself.
In short, we can lift the same-origin constrain on navigationStart.
cheers,
Zhiheng
On Tue, Apr 12, 2011 at 3:21 PM, Nic Jansma <Nic.Jansma@microsoft.com>wrote:
> Below is the proposed agenda for Wednesday’s meeting. Please reply with
> additional topics.
>
>
>
> Zakim Bridge Numbers:
> +1.617.761.6200, +33.4.26.46.79.03 and +44.203.318.0479.
> Passcode 97373 (WPERF)
>
> IRC channel #webperf on irc.w3.org:6665 http://irc.w3.org/
>
> Teleconference Time and Length (60min): 3-4PM EST/1-2PM PST
>
>
>
> 1. NavigationTiming Test updates
>
> 2. NavigationTiming navigationStart in cross-origin redirected
> navigations
>
> 3. NavigationTiming wall-clock time
>
> 4. Feedback on 4/5 updates to Resource Timing
>
> 5. Feedback on Unified Timing Proposal
>
> 6. Discussion on User Timing
>
> 7. Any other business
>
>
>
> Thanks,
>
> Nic
>
Received on Wednesday, 13 April 2011 18:02:57 UTC