RE: [UserTiming] Privacy Section

The Working Group had considered moving the User Timing spec to Last Call in order to get more feedback on the Privacy Section change we had made recently.  The spec had originally stated: ""UserTiming potentially exposes information about specific activities on a page. This information must explicitly not be accessible in cross-domain situations and made available to only the server where the root document originates." We had updated this section to allow User Timing data to be shared to scripts from other origins with the timing-allow-origin http header and had improved the language.

As an example, the text states if a document D with origin A has included script S with origin B, when script S attempts to get marks and measures data, it will not get that data by default. If the timing-allow-origin http response header is set by origin A to allow origin B, then script S will have access. Script X with origin A would always have access to this data.

I had an internal review with some Microsoft security experts, including Eric Lawrence, about this change and their feedback was that we shouldn't have any such restrictions. The web platform has an invariant that including a script into your page is like endorsing it, it has access to everything your scripts have access to.  Even if we did try to add such restrictions, enforcing them would not be easy. What if Script X calls a function in Script S and there is no timing-allow-origin header? What if there are redirects?

Stepping back, I don't think there is much value in such restrictions anyway, seeing that independent of User Timing Script S can measure the time it takes to run functions in Script X. I recommend we pull out this entire section and maintain the same security model that is used in the platform today, including respecting all cross-origin sub-document restrictions.


Received on Wednesday, 2 May 2012 00:39:50 UTC