Re: [whatwg/fetch] Proposal: CORS means TAO by default (Issue #1414) from Noam Rosenthal on 2022-03-18 (public-webapps-github@w3.org from March 2022)

From: Noam Rosenthal <notifications@github.com>
Date: Fri, 18 Mar 2022 00:25:06 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1414/1072096868@github.com>

> > Which attributes would you considered as "resource-level timing"?
> 
> @noamr - from my perspective, resource-level timings include: `redirectStart`, `redirectEnd`, `requestStart`, `responseStart`, `transferSize`, `encodedBodySize` and `decodedBodySize`.

Why should `redirectStart` be more protected than `secureConnectionStart`? How is one of them more/less revealing about the user?

Note that CORS/TAO only protects *user-specific* information - you can connect to the server yourself (from your server) to probe anonymous connection information.

`redirectStart`, for example, can reveal in some cases if the user is logged in, while in the data retrieved via CORS the server can decide whether or not to reveal that information depending on the caller, or to send an error in the JSON instead of a CORS failure.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1414#issuecomment-1072096868
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/issues/1414/1072096868@github.com>

Received on Friday, 18 March 2022 07:25:18 UTC