Re: Cross-Origin Resources and Resource Timing

I would like to discuss this during the next telco. First it would be good to understand the security risks which are caused by providing the timing information. This information is vital for end user performance diagnostic and the whole Resource timing spec is a huge step forward.  I wonder how big the adoption will be if it is "off" by default.  It has to be first adopted by  application providers and then be properly handled by proxies etc. This might cause the spec to only be of little value in a lot of cases.

I know that I come into the game quite late. I don't want to delay anything here, but as a tool provider this information is crucial and it is the only way to get insight into third party content.

As Patrick said setting the Allow Header should be recommended to content providers. I am not really sure how many will adopt this if the spec implicitly states that it is turned off by default because it is dangerous.

// Alois


Alois Reitbauer, Technology Strategist    M (US) +1 617 515 1956 | M (EU)  +43 664 8536534 | E alois.reitbauer@dynatrace.com<mailto:alois.reitbauer@dynatrace.com>  | @AloisReitbaue
www.dynatrace.com<http://www.dynatrace.com/> | blog.dynatrace.com<http://blog.dynatrace.com/> | ajax.dynatrace.com<http://blog.dynatrace.com/>

[Description: Description: Description: Description: DT_CPWR_Elec Signature.png]
The contents of this e-mail are intended for the named addressee only. It contains information that may be confidential. Unless you are the named addressee or an authorized designee, you may not copy or use it, or disclose it to anyone else. If you received it in error please notify us immediately and then destroy it.