- From: Xiaoqian Wu <xiaoqian@w3.org>
- Date: Fri, 14 Dec 2018 22:31:01 +0800
- To: public-web-security@w3.org
- Cc: yoav@yoav.ws
Hi WebSec folks, The WebPerf WG is working on a new version of the Navigation Timing spec: https://www.w3.org/TR/navigation-timing-2/ Most of the L2 features have been implemented by the major browsers. [[ Navigation Timing 2 replaces the first version of [NAVIGATION-TIMING] and includes the following changes: * the definition of Performance interface was moved to [PERFORMANCE-TIMELINE-2]; * builds on top of [RESOURCE-TIMING-2]; * support for [PERFORMANCE-TIMELINE-2]; * support for [HR-TIME-2]; * support for prerender navigations [RESOURCE-HINTS]; * exposes number of redirects since the last non-redirect navigation; * exposes next hop network protocol; * exposes transfer, encoded body and decoded body size information; * secureConnectionStart attribute is now mandatory. ]] The L2 spec contains a security consideration section, which introduces the timing allow check algorithm defined in Resource Timing L2 spec. https://www.w3.org/TR/navigation-timing-2/#security [[ The PerformanceNavigationTiming interface exposes timing information for the current document to any resource loaded by the document, such as a web page or a worker. To limit the access to the PerformanceNavigationTiming interface, the timing allow check algorithm is enforced and certain attributes are set to zero, as described in 4.5 Cross-origin Resources [RESOURCE-TIMING]. Resource providers can explicitly allow all timing information to be collected for a current document by adding the Timing-Allow-Origin HTTP response header, which specifies the domains that are allowed to access the timing information. ]] Please let us know if there is any new concerns for the Navigation Timing API before the end of January, either by emails <public-web-perf@w3.org> or GitHub issues <https://github.com/w3c/navigation-timing/>. Much appreciated! -xiaoqian
Received on Friday, 14 December 2018 14:31:06 UTC