Re: [whatwg/fetch] Don't automaticallly report resource timing for cross-origin TAO-fail… (PR #1579) from Noam Rosenthal on 2023-01-03 (public-webapps-github@w3.org from January 2023)

From: Noam Rosenthal <notifications@github.com>
Date: Tue, 03 Jan 2023 04:53:09 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/1579/review/1234506709@github.com>

@noamr commented on this pull request.



>  
-      <p class=note>This covers the case of <var>response</var> being a <a>network error</a>.
+      <ol>
+       <li>
+        <p>If <var>fetchParams</var>'s
+        <a for="fetch params">request</a>'s <a for=request>mode</a> is "<code>navigate</code>",
+        then abort these steps.
+
+        <p class=note>Reporting timing information for cross-origin navigations without
+        `<code>Timing-Allow-Origin</code>` may expose information about user interaction with that
+        origin.

Rephrased a bit

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1579#discussion_r1060558048
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/pull/1579/review/1234506709@github.com>

Received on Tuesday, 3 January 2023 12:53:21 UTC