RE: [ResourceTiming] "timing allow check" steps depend on underdefined behavior

Good point, not all cross-origin fetches will have an Origin header. What if we simplified step 3 of the algorithm as so:

3.     If the value of Timing-Allow-Origin is not a match for the value of the origin of the current document, return fail and terminate this algorithm.


-----Original Message-----
From: Boris Zbarsky [mailto:bzbarsky@MIT.EDU] 
Sent: Monday, May 5, 2014 8:12 PM
To: public-web-perf@w3.org
Subject: [ResourceTiming] "timing allow check" steps depend on underdefined behavior

Specifically, this step:

   If the value of Timing-Allow-Origin is not a case-sensitive match for
   the value of the Origin header [IETF RFC 6454], return fail and
   terminate this algorithm.

says to fail and terminate for any response for which an Origin header was not sent, as far as I can tell.  And nothing really defines when an Origin header is sent, except for CORS fetches.

I assume the language currently in the spec is not the actual intent, but if so the spec needs to say what it actually means to say here...

-Boris

Received on Thursday, 22 May 2014 16:15:30 UTC