- From: James Simonsen <simonjam@chromium.org>
- Date: Thu, 15 Sep 2011 17:30:21 -0700
- To: "public-web-perf@w3.org" <public-web-perf@w3.org>
- Message-ID: <CAPVJQimrvsVFx+68v3O0-6wa2iwzX9o0KKz++O2jWVjBB7XeCQ@mail.gmail.com>
On Wed, Sep 14, 2011 at 3:34 AM, Bryan McQuade <bmcquade@google.com> wrote: > This is a good example. I agree that we don't want to leak the details of > secure sites like banks, so opt-out for those sites makes sense. However I > recommend that we opt in all HTTP resources to help developers and ops folks > understand exactly what makes a page load slow. > The bank is just an example. The same could be done for regular HTTP sites. An evil operator could learn that this visitor has a Facebook account, uses Yahoo Mail, and visits 4x4 forums. That might be enough to pinpoint them as someone specific, instead of just being some anonymous visitor to the evil site. We're trying to avoid exposing new ways of tracking users that couldn't be done before. If the connect time is 0, then you know for sure that the browser had an existing connection to that host and so must've visited it recently. As Alois pointed out, you could still try to guess this before by timing the load event, but that can be influenced by lots of things and is not conclusive. With connect time, it is conclusive. Likewise with the other fields: A zero DNS time indicates a domain was accessed recently and a zero response time indicates the resource was in the cache. We're okay exposing start and end time for all resources, because that's the same thing you could do before. But we don't want to open any new attack vectors. James
Received on Friday, 16 September 2011 00:30:47 UTC