Re: [whatwg/fetch] Don't automaticallly report resource timing for cross-origin TAO-fail… (PR #1579) from Anne van Kesteren on 2023-01-03 (public-webapps-github@w3.org from January 2023)

From: Anne van Kesteren <notifications@github.com>
Date: Tue, 03 Jan 2023 00:48:16 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/1579/review/1234223943@github.com>

@annevk commented on this pull request.



> @@ -4667,11 +4667,25 @@ steps:
 
      <li>
       <p>If <var>response</var>'s <a for=response>timing allow passed flag</a> is not set,
-      then set <var>timingInfo</var> to the result of <a>creating an opaque timing info</a> for
-      <var>timingInfo</var>, set <var>bodyInfo</var> to a new <a for=/>response body info</a>, and
-      set <var>cacheState</var> to the empty string.
-
-      <p class=note>This covers the case of <var>response</var> being a <a>network error</a>.
+      then:
+       <ol>

Indented too much by 1. (Goes for the entire block.) Could also use a newline before the `<ol>`.

> @@ -4667,11 +4667,25 @@ steps:
 
      <li>
       <p>If <var>response</var>'s <a for=response>timing allow passed flag</a> is not set,
-      then set <var>timingInfo</var> to the result of <a>creating an opaque timing info</a> for
-      <var>timingInfo</var>, set <var>bodyInfo</var> to a new <a for=/>response body info</a>, and
-      set <var>cacheState</var> to the empty string.
-
-      <p class=note>This covers the case of <var>response</var> being a <a>network error</a>.
+      then:
+       <ol>
+        <li>
+         <p>If <var>fetchParams</var>'s
+         <a for="fetch params">request</a>'s <a for=request>mode</a> is "<code>navigate</code>",
+         then abort these <a for="fetch controller">report timing steps</a>.

I think we should just say "abort these steps".

> -
-      <p class=note>This covers the case of <var>response</var> being a <a>network error</a>.
+      then:
+       <ol>
+        <li>
+         <p>If <var>fetchParams</var>'s
+         <a for="fetch params">request</a>'s <a for=request>mode</a> is "<code>navigate</code>",
+         then abort these <a for="fetch controller">report timing steps</a>.
+
+         <p class=note>Reporting timing information for cross-origin navigations without
+         `<code>Timing-Allow-Origin</code>` may expose information about user interaction with that
+         origin.
+
+        <li>
+         <p>Set <var>timingInfo</var> to the result of <a>creating an opaque timing info</a> for
+          <var>timingInfo</var>, set <var>bodyInfo</var> to a new <a for=/>response body info</a>,

Indentation went wrong.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1579#pullrequestreview-1234223943
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/pull/1579/review/1234223943@github.com>

Received on Tuesday, 3 January 2023 08:48:29 UTC