Re: Cross-Origin Resources and Resource Timing

Hi there,

Just curious to know what's the status of the default state for "Time-Allow-Origin" header - is it opt-out for http and https by default?

Cheers,

--Ricardo

On Sep 14, 2011, at 12:49 PM, Nic Jansma wrote:

> Ah, Zhiheng has pointed out that part of the spec still refers to zeroing out responseEnd:
> http://dvcs.w3.org/hg/webperf/raw-file/tip/specs/ResourceTiming/Overview.html#cross-origin-resources
>  
> However, I think that was left over when we originally had resourceEnd, which wasn't zero'd out.  We cut resourceEnd and left responseEnd as they were the same.  I'd suggest we remove 'responseEnd' from that paragraph and the processing model.
>  
> - Nic
>  
> From: public-web-perf-request@w3.org [mailto:public-web-perf-request@w3.org] On Behalf Of Nic Jansma
> Sent: Wednesday, September 14, 2011 12:43 PM
> To: Zhiheng Wang; Aaron Peters
> Cc: public-web-perf@w3.org
> Subject: RE: Cross-Origin Resources and Resource Timing
>  
> responseEnd and duration are *not* zero'd out when cross-origin (https://dvcs.w3.org/hg/webperf/raw-file/tip/specs/ResourceTiming/Overview.html#response-end), specifically, because that data is already available today from onLoad timing.
>  
> - Nic
>  
> From: public-web-perf-request@w3.org [mailto:public-web-perf-request@w3.org] On Behalf Of Zhiheng Wang
> Sent: Wednesday, September 14, 2011 12:02 PM
> To: Aaron Peters
> Cc: public-web-perf@w3.org
> Subject: Re: Cross-Origin Resources and Resource Timing
>  
>    responseEnd and duration are currently zero'ed out when x-origin. Developers are
> supposed to work out their own onload handler for the overall load time. If the concern
> is poor performers try to hide their timing but not enabling the header, maybe we can
> have responseEnd and duration enabled by default? Showing the overall duration of
> a resource generally trigger less concerns than timing details such as DNS and TCP
> connection time.
>  
> cheers,
> Zhiheng
>  
>    
>  
> 
> On Wed, Sep 14, 2011 at 4:32 AM, Aaron Peters <aaronpeters.nl@gmail.com> wrote:
> Hi people,
>  
> I fully agree with Bryan McQuade on this one: make it opt-in for HTTP, opt-out for HTTPS.
> If it is opt-out for HTTP, I expect *very* little adoption from third party providers.
>  
> In the past years, only a few third parties have improved their widget/tracker/ad code for better performance.
> Per today, most providers still give site owners crappy code (document.write, global JS variables, etc etc) and latency can be very high.
>  
> There is very little to no incentive for them to start sending that Timing-Allow-Origin: * header.
>  
> As a web perf optimization consultant, I have seen third party scripts significantly impacting page load times and user experience on numerous occasions. Real User Monitoring services need to be able to capture the detail timing info so site owners get the full insight.
>  
> Please, please, please change the spec, to enable site owners to better understand the performance of third party resources.
>  
> - Aaron Peters
>  
>  

Received on Wednesday, 5 October 2011 23:42:24 UTC