[ResourceTiming] "timing allow check" steps depend on underdefined behavior

Specifically, this step:

   If the value of Timing-Allow-Origin is not a case-sensitive match for
   the value of the Origin header [IETF RFC 6454], return fail and
   terminate this algorithm.

says to fail and terminate for any response for which an Origin header 
was not sent, as far as I can tell.  And nothing really defines when an 
Origin header is sent, except for CORS fetches.

I assume the language currently in the spec is not the actual intent, 
but if so the spec needs to say what it actually means to say here...


Received on Tuesday, 6 May 2014 03:12:48 UTC