Re: detecting connection speed from Ilya Grigorik on 2013-12-12 (public-web-perf@w3.org from December 2013)

From: Ilya Grigorik <igrigorik@google.com>
Date: Wed, 11 Dec 2013 19:54:27 -0800
To: Nic Jansma <nic@nicj.net>
Cc: "Reitbauer, Alois" <Alois.Reitbauer@compuware.com>, Yoav Weiss <yoav@yoav.ws>, James Graham <james@hoppipolla.co.uk>, public-web-perf <public-web-perf@w3.org>
Message-ID: <CADXXVKp7VRHG9qUaxcCjZKb2dDCpGw18jzPfKtzy08LmaA9KZg@mail.gmail.com>

On Wed, Dec 11, 2013 at 7:36 PM, Nic Jansma <nic@nicj.net> wrote:

> One of the reasons ResourceTiming v1 didn't expose bytes transferred was
> due to cross-origin security concerns, eg. detecting if a user had already
> downloaded a known image from a separate site mybank.com.  I would assume
> that is still a security concern, and it may limit the usefulness for some
> of the use-cases presented if they involve other origins.
>
> I hadn't seen cross-origin limitations brought up, so I wanted to make
> sure everyone that was discussing this was aware of the issue.
>
> Here's a thread from last year that discussed byte-size a bit:
> http://lists.w3.org/Archives/Public/public-web-perf/2013Jan/0000.html

I don't follow the reasoning behind limiting this information for
third-party origins -- can someone elaborate? First, we already require
that third-party resources must opt-in into ResourceTiming via an
additional header, and second, I would posit that anything you can "infer"
about the user via bytesize is equally guessable via timing the resource
itself... and we've already elaborated on that in the privacy section [1].

[1] http://www.w3.org/TR/resource-timing/#privacy-security

Received on Thursday, 12 December 2013 03:55:35 UTC