W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2016

Review of Resource Timing L1 (webperf)

From: Ilya Grigorik <igrigorik@gmail.com>
Date: Tue, 31 May 2016 12:57:47 -0700
Message-ID: <CAKRe7JGPLh8Vai4sAPxakShGoB7qCX8V=S2wAwojW9OObaeG8w@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Cc: Todd Reifsteck <toddreif@microsoft.com>, Philippe Le H├ęgaret <plh@w3.org>
Hey all.

We (WebPerf working group) are working towards publishing Resource Timing
L1 as Candidate Recommendation and looking for a review of the draft:

https://cdn.rawgit.com/w3c/resource-timing/V1/index.html

A quick run through the security questionnaire [1]:

   - 3.1-3-4: No.
   - 3-5: Yes. PerformanceResourceTiming interface exposes detailed timing
   information for fetched resources. This information is available by default
   for same-origin resources and cross origin resources must opt-in via the
   Timing-Allow-Origin header. For full details, see:
      -
      https://cdn.rawgit.com/w3c/resource-timing/V1/index.html#privacy-security
      -
      https://cdn.rawgit.com/w3c/resource-timing/V1/index.html#cross-origin-resources
   - 3.6-3.12: No.
   - 3.13: Yes, see 3.5
   - 3.14-3.15: No.
   - 3.16: Yes:
   https://cdn.rawgit.com/w3c/resource-timing/V1/index.html#privacy-security

   - 3.17: No.

We would appreciate any feedback or questions on any of the above, or any
other aspect of the draft. If you have any comments, we would prefer if you
file them as issues on GitHub [2]. Alternatively, you can email them to
public-web-perf@w3.org.

Thanks!

[1] https://w3ctag.github.io/security-questionnaire/#questions
[2] https://github.com/w3c/resource-timing
Received on Tuesday, 31 May 2016 19:58:55 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:56 UTC