Request Security Review of Navigation Timing Level 2

Hi WebSec folks,

The WebPerf WG is working on a new version of the Navigation Timing 
spec:
   https://www.w3.org/TR/navigation-timing-2/

Most of the L2 features have been implemented by the major browsers.
[[
Navigation Timing 2 replaces the first version of [NAVIGATION-TIMING] 
and includes the following changes:

* the definition of Performance interface was moved to 
[PERFORMANCE-TIMELINE-2];
* builds on top of [RESOURCE-TIMING-2];
* support for [PERFORMANCE-TIMELINE-2];
* support for [HR-TIME-2];
* support for prerender navigations [RESOURCE-HINTS];
* exposes number of redirects since the last non-redirect navigation;
* exposes next hop network protocol;
* exposes transfer, encoded body and decoded body size information;
* secureConnectionStart attribute is now mandatory.
]]

The L2 spec contains a security consideration section, which introduces 
the timing allow check algorithm defined in Resource Timing L2 spec.
   https://www.w3.org/TR/navigation-timing-2/#security
[[
The PerformanceNavigationTiming interface exposes timing information for 
the current document to any resource loaded by the document, such as a 
web page or a worker. To limit the access to the 
PerformanceNavigationTiming interface, the timing allow check algorithm 
is enforced and certain attributes are set to zero, as described in 4.5 
Cross-origin Resources [RESOURCE-TIMING]. Resource providers can 
explicitly allow all timing information to be collected for a current 
document by adding the Timing-Allow-Origin HTTP response header, which 
specifies the domains that are allowed to access the timing information.
]]

Please let us know if there is any new concerns for the Navigation 
Timing API before the end of January, either by emails 
<public-web-perf@w3.org> or GitHub issues 
<https://github.com/w3c/navigation-timing/>.

Much appreciated!

-xiaoqian

Received on Friday, 14 December 2018 14:31:06 UTC