Re: Cross-Origin Resources and Resource Timing from Bryan McQuade on 2011-09-14 (public-web-perf@w3.org from September 2011)

From: Bryan McQuade <bmcquade@google.com>
Date: Wed, 14 Sep 2011 06:34:07 -0400
To: James Simonsen <simonjam@chromium.org>
Cc: "public-web-perf@w3.org" <public-web-perf@w3.org>
Message-ID: <CADLGQyAeuZ+twQSnOzWnARfn6=teXU6RMkyqwkN7E-5NgpiKcg@mail.gmail.com>

This is a good example. I agree that we don't want to leak the details of
secure sites like banks, so opt-out for those sites makes sense. However I
recommend that we opt in all HTTP resources to help developers and ops folks
understand exactly what makes a page load slow.

I've heard a number of people in the web perf community express great
disappointment when they find out that third party resources are opted out
by default. Despite our best intentions, the header opt-in approach just
isn't going to get adoption, and it allows slow providers to continue to
hide their latency. If a third-party resource provider knows their service
is slow, they have no incentive to turn on the header, and they can continue
to hide their latency from the web community. Their timing data won't show
up in web perf monitoring systems, allowing them to continue to make the web
slow w/o any accountability.

I recommend changing the spec to opt out HTTPS resources by default, and to
opt in HTTP by default (no header needed).

Do others on this thread support this proposed change? If so, please speak
up now!

On Tue, Sep 13, 2011 at 1:51 PM, James Simonsen <simonjam@chromium.org>wrote:

> On Wed, Sep 7, 2011 at 2:18 AM, Alois Reitbauer <
> alois.reitbauer@dynatrace.com> wrote:
>
>>  Getting the overall time is already helpful while it makes diagnosing
>> problems really hard missing the details. I have to say I am no security
>> expert, so I am not the right person to judge the security implications.  It
>> might be a good idea to state the security concerns in a non-normative
>> section. As Pat pointed out third party providers will have to be convinced
>> to support the new header. Having a strong reference like a W3C standard
>> would be helpful here.
>>
>
> The main attack is determining if a user is logged in to a third party
> site. If they include a resource from a third party site and see that it
> loaded quickly, for instance because an HTTPS connection already existed,
> then they can learn things like which bank the user uses.
>
> We are trying to make this useful for developers, but our users' privacy
> comes first.
>
> James
>

Received on Wednesday, 14 September 2011 10:34:40 UTC