- From: Jatinder Mann <jmann@microsoft.com>
- Date: Thu, 22 May 2014 16:15:01 +0000
- To: Boris Zbarsky <bzbarsky@MIT.EDU>, "public-web-perf@w3.org" <public-web-perf@w3.org>
Good point, not all cross-origin fetches will have an Origin header. What if we simplified step 3 of the algorithm as so: 3. If the value of Timing-Allow-Origin is not a match for the value of the origin of the current document, return fail and terminate this algorithm. -----Original Message----- From: Boris Zbarsky [mailto:bzbarsky@MIT.EDU] Sent: Monday, May 5, 2014 8:12 PM To: public-web-perf@w3.org Subject: [ResourceTiming] "timing allow check" steps depend on underdefined behavior Specifically, this step: If the value of Timing-Allow-Origin is not a case-sensitive match for the value of the Origin header [IETF RFC 6454], return fail and terminate this algorithm. says to fail and terminate for any response for which an Origin header was not sent, as far as I can tell. And nothing really defines when an Origin header is sent, except for CORS fetches. I assume the language currently in the spec is not the actual intent, but if so the spec needs to say what it actually means to say here... -Boris
Received on Thursday, 22 May 2014 16:15:30 UTC