- From: Arvind Jain <arvind@google.com>
- Date: Wed, 7 May 2014 07:13:55 -0700
- To: Boris Zbarsky <bzbarsky@mit.edu>
- Cc: public-web-perf <public-web-perf@w3.org>
Received on Wednesday, 7 May 2014 14:14:24 UTC
Hi Boris, As listed in step 8 of the processing model, the timing_allow_check is not performed for same origin fetches. The check is only performed for CORS fetches where the Origin header is present. Please let me know if I missed your point. Arvind On Mon, May 5, 2014 at 8:12 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote: > Specifically, this step: > > If the value of Timing-Allow-Origin is not a case-sensitive match for > the value of the Origin header [IETF RFC 6454], return fail and > terminate this algorithm. > > says to fail and terminate for any response for which an Origin header was > not sent, as far as I can tell. And nothing really defines when an Origin > header is sent, except for CORS fetches. > > I assume the language currently in the spec is not the actual intent, but > if so the spec needs to say what it actually means to say here... > > -Boris > >
Received on Wednesday, 7 May 2014 14:14:24 UTC