Hey all.
We (WebPerf working group) are working towards publishing Resource Timing
L1 as Candidate Recommendation and looking for a review of the draft:
https://cdn.rawgit.com/w3c/resource-timing/V1/index.html
A quick run through the security questionnaire [1]:
- 3.1-3-4: No.
- 3-5: Yes. PerformanceResourceTiming interface exposes detailed timing
information for fetched resources. This information is available by default
for same-origin resources and cross origin resources must opt-in via the
Timing-Allow-Origin header. For full details, see:
-
https://cdn.rawgit.com/w3c/resource-timing/V1/index.html#privacy-security
-
https://cdn.rawgit.com/w3c/resource-timing/V1/index.html#cross-origin-resources
- 3.6-3.12: No.
- 3.13: Yes, see 3.5
- 3.14-3.15: No.
- 3.16: Yes:
https://cdn.rawgit.com/w3c/resource-timing/V1/index.html#privacy-security
- 3.17: No.
We would appreciate any feedback or questions on any of the above, or any
other aspect of the draft. If you have any comments, we would prefer if you
file them as issues on GitHub [2]. Alternatively, you can email them to
public-web-perf@w3.org.
Thanks!
[1] https://w3ctag.github.io/security-questionnaire/#questions
[2] https://github.com/w3c/resource-timing