Re: Cross-Origin Resources and Resource Timing

I remember there being some privacy concerns about exposing the granular 
details but I can't remember the specifics or find Anderson's original 
email that discussed them.

I'd like to encourage all companies that provide widgets that get 
embedded in other people's pages to also include the 
Timing-Allow-Origin: * header for transparency into their service but 
I'd hate to be encouraging people to do it if it is the wrong thing to 
do for privacy reasons.

Thanks,

-Pat

On 9/6/2011 1:01 PM, James Simonsen wrote:
> On Tue, Sep 6, 2011 at 8:00 AM, Alois Reitbauer 
> <alois.reitbauer@dynatrace.com <mailto:alois.reitbauer@dynatrace.com>> 
> wrote:
>
>     I have a question on cross-origin resources. Does the current spec
>     state that when the document is loaded from www.mydomain.com
>     <http://www.mydomain.com> that I will not get any timing
>     information from www.yourdomain.com <http://www.yourdomain.com> ?
>     This would make it impossible to monitor third party resources.
>
>
> You'll get the overall load time for those resources, but it won't be 
> broken down into the details (DNS time, connect time, etc.). Those 
> values will all report 0.
>
> If you want all the information, you'll have to add the 
> Timing-Allow-Origin header to the resource's HTTP response. See:
>
> http://dvcs.w3.org/hg/webperf/raw-file/tip/specs/ResourceTiming/Overview.html#cross-origin-resources
>
> James

Received on Tuesday, 6 September 2011 17:23:34 UTC