Re: [whatwg/fetch] Don't automaticallly report resource timing for cross-origin TAO-fail… (PR #1579) from Noam Rosenthal on 2023-01-03 (public-webapps-github@w3.org from January 2023)

From: Noam Rosenthal <notifications@github.com>
Date: Tue, 03 Jan 2023 00:50:48 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/1579/review/1234232306@github.com>

@noamr commented on this pull request.



> -
-      <p class=note>This covers the case of <var>response</var> being a <a>network error</a>.
+      then:
+       <ol>
+        <li>
+         <p>If <var>fetchParams</var>'s
+         <a for="fetch params">request</a>'s <a for=request>mode</a> is "<code>navigate</code>",
+         then abort these <a for="fetch controller">report timing steps</a>.
+
+         <p class=note>Reporting timing information for cross-origin navigations without
+         `<code>Timing-Allow-Origin</code>` may expose information about user interaction with that
+         origin.
+
+        <li>
+         <p>Set <var>timingInfo</var> to the result of <a>creating an opaque timing info</a> for
+          <var>timingInfo</var>, set <var>bodyInfo</var> to a new <a for=/>response body info</a>,

Fixed

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1579#discussion_r1060373649
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/pull/1579/review/1234232306@github.com>

Received on Tuesday, 3 January 2023 08:51:01 UTC