[whatwg/fetch] Does Server-Timing work when not exposed through Access-Control-Expose-Headers? (Issue #1511) from Anne van Kesteren on 2022-10-24 (public-webapps-github@w3.org from October 2022)

From: Anne van Kesteren <notifications@github.com>
Date: Mon, 24 Oct 2022 02:52:22 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1511@github.com>

While working on #1509 I realized something about this step in [fetch response handover](https://fetch.spec.whatwg.org/#fetch-finale):

> If response is not a network error and fetchParams’s request’s client is a secure context, then set timingInfo’s server-timing headers to the result of getting, decoding, and splitting \``Server-Timing`\` from response’s header list.

If you have a CORS filtered response here it's highly likely you don't have access to the \``Server-Timing`\` header, except if the server explicitly safelisted it. Are those the intended semantics?

cc @yoavweiss @noamr 

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1511

You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/issues/1511@github.com>

Received on Monday, 24 October 2022 09:52:35 UTC