[ResourceTiming]: Changing `nextHopProtocol` exposure to align with spec from Tom McKee on 2022-01-06 (public-web-perf@w3.org from January 2022)

From: Tom McKee <tommckee@chromium.org>
Date: Thu, 6 Jan 2022 17:42:35 -0500
To: public-web-perf@w3.org
Message-ID: <CAD+xnEFPaqZZu-ShnFyeNd3DTxpcOKWgZUVtq7_pMGNc6OHDAg@mail.gmail.com>

Howdy!
[If you don't care about the Resource Timing API or information leakage
about cross-origin connections, feel free to disregard!]

I'm working to fix an issue in Chrome <http://crbug.com/1184726> where
we're divergent from the Resource Timing(RT) + Fetch specs. I wanted to get
some feedback from a wider audience w.r.t. how risky we think the change
will be and to give folks a heads-up that this change is in the works.

*The long-and-short of it is that `nextHopProtocol` will be
hidden-by-default for cross-origin resources.* This means it will behave the
same way
<https://www.w3.org/TR/resource-timing-2/#sec-cross-origin-resources> as
other, potentially sensitive, fields returned through the RT API. Instead
of seeing things like "http/1.1" or "h2", the empty string will be returned
to prevent information about cross-origin connection types 'leaking'. As
with other RT attributes, HTTP responses can include a Timing-Allow-Origin
header <https://www.w3.org/TR/resource-timing-2/#sec-timing-allow-origin> to
allow the information to be shared to cross-origin requesters (useful for
CDNs and the like to help customers understand performance).

I'll be following up with other browser vendors to make sure each
implementation is consistent with the spec and each other. I can't speak to
if/when they'll adopt this approach but I hope to introduce the new
behaviour in Chrome M99. M99 is scheduled for Beta on February 3rd and
Stable on March 1st.

Does anyone think such a change will introduce significant breakage? I
imagine there isn't much content that would rely on `nextHopProtocol` (or
other Resource Timing values, for that matter) but folks that collect RT
data (say, Real User Metrics providers) probably do collect these values.
Apart from seeing a shift in data/dashboards, do we expect
pipelines/use-cases to break here?

Let me know if you have any questions/concerns/feedback!

Thanks,
- Tom

For the curious:
There used to be a special case in Resource Timing for how the
`nextHopProtocol` attribute was exposed across origin boundaries. The
cross-origin protection was only applied in the case where the resource was
being fetched for a `document destination` (think iframes, etc). So, today,
'example1.com' could request an image resource from 'example2.com' and
learn the `nextHopProtocol` value without 'example2.com's "permission".

Received on Friday, 7 January 2022 14:27:57 UTC