Re: [w3ctag/design-reviews] Expose contentEncoding in resourceTiming (Issue #1064)

noamr left a comment (w3ctag/design-reviews#1064)

> There are so many potential side-channels in the platform, I'm not sure that we have a design principle template that we could use that would catch them all. What threat model are we operating under again?

See previous comment for the threat model. It's the same threat model CSP mitigates, in a way.

> 
> Let me see if I understand the constraints that lead to the restriction and - from that - why the defense is effective. Because it is not obvious to me that it is save to reveal `gzip` vs. `identity`/nothing but then unsafe to reveal a higher-entropy signal like a custom coding. The same for content types.
> 
> The [list of redacted values](https://w3c.github.io/resource-timing/#sec-cross-origin-resources) doesn't list either type or codings, but the [opaque report construction](https://fetch.spec.whatwg.org/#create-an-opaque-timing-info) looks like it removes both. If both are erased in the cross-origin case, what is the problem with revealing higher-information otherwise?
> 
> If the case we're talking about is where the content of the response is isolated with CORS (`no-cors`), but `Timing-Allow-Origin` (TAO) is set to release timing information. I guess the question is whether content codings are information that is not part of the timing information that the site is willing to release, or expecting to have released.
> 
> So is this all because content type existed from the definition of resource timing and content encoding is new? That is, we might expect sites to understand that TAO implies access to content type information, but they might not expect the same for content codings?

It's a different type of protection.
`Timing-Allow-Origin` allows the 3p to protect/expose its timing information.
The lower entropy of values in timing information comes to protect against 3rd parties communicating with each other without the first origin's knowledge.

For example, the user might be authenticated to `https://sensitive.example-site`, and the document displays an image from it. It is granted only `img-src` CSP access. That site can now use an arbitrary `Content-Encoding` string to exfiltrate information about the authenticated user. A script loaded from `https://ad-auction.example-site` can now read this information and those sites can "chat".


-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/1064#issuecomment-2943298828
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/1064/2943298828@github.com>

Received on Thursday, 5 June 2025 08:48:58 UTC