Re: Cross-Origin Resources and Resource Timing

On Wed, Sep 14, 2011 at 3:34 AM, Bryan McQuade <> wrote:

> This is a good example. I agree that we don't want to leak the details of
> secure sites like banks, so opt-out for those sites makes sense. However I
> recommend that we opt in all HTTP resources to help developers and ops folks
> understand exactly what makes a page load slow.

The bank is just an example. The same could be done for regular HTTP sites.
An evil operator could learn that this visitor has a Facebook account, uses
Yahoo Mail, and visits 4x4 forums. That might be enough to pinpoint them as
someone specific, instead of just being some anonymous visitor to the evil

We're trying to avoid exposing new ways of tracking users that couldn't be
done before. If the connect time is 0, then you know for sure that the
browser had an existing connection to that host and so must've visited it

As Alois pointed out, you could still try to guess this before by timing the
load event, but that can be influenced by lots of things and is not
conclusive. With connect time, it is conclusive.

Likewise with the other fields: A zero DNS time indicates a domain was
accessed recently and a zero response time indicates the resource was in the

We're okay exposing start and end time for all resources, because that's the
same thing you could do before. But we don't want to open any new attack


Received on Friday, 16 September 2011 00:30:47 UTC