- From: Noam Rosenthal <notifications@github.com>
- Date: Thu, 17 Mar 2022 01:20:34 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 17 March 2022 08:20:46 UTC
See [this conversation](https://github.com/w3c/resource-timing/issues/240) I think it's time we consider CORS resources as if they have TAO by default. This will allow the document to receive timing information of resources for which the document can already read the data. Since the intention of CORS is usually to protect user-private information, and in this case the user data is already passed to the document, there is no particular reason to hide the timing information. We can consider having an opt-out (`Timing-Allow-Origin: none` ?) which preserves the current "Give me the data but not the timing" option for servers that wish to specifically hide their user-specific timing information while allowing user data. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1414 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/issues/1414@github.com>
Received on Thursday, 17 March 2022 08:20:46 UTC