Re: [Resource Timing]Statements about cross-origin redirect should be more clearly from James Simonsen on 2013-04-10 (public-web-perf@w3.org from April 2013)

From: James Simonsen <simonjam@google.com>
Date: Tue, 9 Apr 2013 17:08:54 -0700
To: Jatinder Mann <jmann@microsoft.com>
Cc: "Deng, Pan" <pan.deng@intel.com>, "public-web-perf@w3.org" <public-web-perf@w3.org>
Message-ID: <CAPVJQimw+MzZtMJq2aQsKXD_PSg3M_7VOknSdUdS6wHxh6LYKg@mail.gmail.com>

Works for me.

I think we need to make some more changes to 3.19 in the processing model
to clarify that though. We should have a "flag" in the processing model
that indicates redirectStart/End have been cleared. If that flag is set, we
should never proceed to 3.19b, even if this particular redirect is allowed.

James


On Tue, Apr 9, 2013 at 4:53 PM, Jatinder Mann <jmann@microsoft.com> wrote:

>  Based on the current spec text, seems like the behavior we had agreed
> upon in the past was that if any of the redirects are not of the same
> origin as the current document and if any of them do not pass the timing
> allow check algorithm, we will zero out the redirectStart and redirectEnd
> attributes. I think the idea here is that either we give the true
> redirection time or we give a zero’d out time. If we give a partial value,
> it may not be clear that this isn’t the true redirection time.****
>
> ** **
>
> Thanks,****
>
> Jatinder****
>
> ** **
>
> *From:* James Simonsen [mailto:simonjam@chromium.org]
> *Sent:* Tuesday, April 9, 2013 1:50 PM
> *To:* Deng, Pan
> *Cc:* Jatinder Mann; public-web-perf@w3.org
> *Subject:* Re: [Resource Timing]Statements about cross-origin redirect
> should be more clearly****
>
> ** **
>
> Sounds good to me. The important thing is that each redirect must allow
> the document's origin.****
>
> ** **
>
> The only question is what to do if R2 disallows and the rest allow. Should
> we include R3 in redirectStart/End or just leave those fields permanently
> zeroed out? Is there any risk in revealing where in the chain the
> cross-origin redirect may have occurred?****
>
> ** **
>
> James****
>
> ** **
>
> On Mon, Apr 1, 2013 at 2:10 AM, Deng, Pan <pan.deng@intel.com> wrote:****
>
>  Retrieve this thread as it is cold.****
>
> I think the proposed clarification will clear the usage for browser/web
> developer, and it won’t change intended meaning of Resource Timing spec,
> any comments? J****
>
>  ****
>
> Thanks****
>
> Pan****
>
>  ****
>
> *From:* Deng, Pan [mailto:pan.deng@intel.com]
> *Sent:* Monday, February 04, 2013 5:12 PM
> *To:* public-web-perf@w3.org
> *Subject:* [Resource Timing]Statements about cross-origin redirect should
> be more clearly****
>
>  ****
>
> In Section 4.3 about ‘redirectStart’, ‘redirectEnd’, CR doc[1]says: "if
> any of the redirects are not from the same origin as the current document,
> and the Timing-Allow-Origin HTTP response header rules are met, this
> attribute must return ……"****
>
> What is the meaning of "Timing-Allow-Origin HTTP response header rules are
> met"?****
>
> Consider scenario: doc D req R1 -> R2 -> R3 -> R4. ( "->" : redirect, R4
> is the final resource)****
>
> It may imply:****
>
> a), Any Ri’s response timing-allowing-origin D. (apply to any Ri and doc D)
> ****
>
> b), R1’s response timing-allow-origin D, R2’s response timing allow R1…
> till R4’s response timing allow R3. (apply to redirect chain)****
>
>  ****
>
> From timing-allow-check algorithm in [2], it can be inferred that a) is
> the right one.****
>
> However, Processing Model 3.19a of [1] says “If the current resource and
> the resource that is redirected to are not from the same origin, set
> redirectStart and redirectEnd to 0”. Here redirectStart/End should be reset
> once there is a cross-origin redirect, without Timing-Allow-Origin
> consideration at all, is it a typo here?****
>
>  ****
>
> To make the spec more clearly, I suggest a small modification to avoid the
> inconsistency:****
>
> Statement in section 4.3 can be modified to “if any of the redirects are
> not from the same origin as the current document, and the
> Timing-Allow-Origin HTTP response header rules are met by current document”,
> ****
>
> and Processing Model 3.19a can be modified to “current resource and the
> document are not from same origin, and Timing-Allow-Origin HTTP response
> header rule is not met by the document, set redirectStart and redirectEnd
> to 0”.****
>
> Any idea?****
>
>  ****
>
> Thanks J****
>
> Pan****
>
>  ****
>
> [1] http://www.w3.org/TR/2012/CR-resource-timing-20120522/****
>
> [2]
> https://dvcs.w3.org/hg/webperf/raw-file/tip/specs/ResourceTiming/Overview..html#timing-allow-check
> ****
>
>  ****
>
>  ** **
>

Received on Wednesday, 10 April 2013 10:55:39 UTC