RE: [Resource Timing]Statements about cross-origin redirect should be more clearly from Deng, Pan on 2013-04-01 (public-web-perf@w3.org from April 2013)

From: Deng, Pan <pan.deng@intel.com>
Date: Mon, 1 Apr 2013 09:10:02 +0000
To: Jatinder Mann <jmann@microsoft.com>, "public-web-perf@w3.org" <public-web-perf@w3.org>
Message-ID: <BA467B16E3516645B35B7BB72D744DBA1076D2F8@SHSMSX102.ccr.corp.intel.com>

Retrieve this thread as it is cold.
I think the proposed clarification will clear the usage for browser/web developer, and it won't change intended meaning of Resource Timing spec, any comments? :)

Thanks
Pan

From: Deng, Pan [mailto:pan.deng@intel.com]
Sent: Monday, February 04, 2013 5:12 PM
To: public-web-perf@w3.org
Subject: [Resource Timing]Statements about cross-origin redirect should be more clearly

In Section 4.3 about 'redirectStart', 'redirectEnd', CR doc[1]says: "if any of the redirects are not from the same origin as the current document, and the Timing-Allow-Origin HTTP response header rules are met, this attribute must return ......"
What is the meaning of "Timing-Allow-Origin HTTP response header rules are met"?
Consider scenario: doc D req R1 -> R2 -> R3 -> R4. ( "->" : redirect, R4 is the final resource)
It may imply:
a), Any Ri's response timing-allowing-origin D. (apply to any Ri and doc D)
b), R1's response timing-allow-origin D, R2's response timing allow R1... till R4's response timing allow R3. (apply to redirect chain)

>From timing-allow-check algorithm in [2], it can be inferred that a) is the right one.
However, Processing Model 3.19a of [1] says "If the current resource and the resource that is redirected to are not from the same origin, set redirectStart and redirectEnd to 0". Here redirectStart/End should be reset once there is a cross-origin redirect, without Timing-Allow-Origin consideration at all, is it a typo here?

To make the spec more clearly, I suggest a small modification to avoid the inconsistency:
Statement in section 4.3 can be modified to "if any of the redirects are not from the same origin as the current document, and the Timing-Allow-Origin HTTP response header rules are met by current document",
and Processing Model 3.19a can be modified to "current resource and the document are not from same origin, and Timing-Allow-Origin HTTP response header rule is not met by the document, set redirectStart and redirectEnd to 0".
Any idea?

Thanks :)
Pan

[1] http://www.w3.org/TR/2012/CR-resource-timing-20120522/
[2] https://dvcs.w3.org/hg/webperf/raw-file/tip/specs/ResourceTiming/Overview.html#timing-allow-check

Received on Monday, 1 April 2013 09:11:05 UTC