From 5632bca45c09b08ce64f7afcca149acfc15e8757 Mon Sep 17 00:00:00 2001
From: Noam Rosenthal <noam@webkit.org>
Date: Thu, 23 Sep 2021 15:53:42 +0300
Subject: [PATCH] Hide some navigation timing info when cross-origin redirects
 are present

When a navigation includes cross-origin redirects, the navigation timing
entry should not include information about redirect timing and internal
network timing, as that may expose cross-origin timing information.

This is already implemented and tested, but has been omitted when
refactoring the navigation timing spec into HTML.

Closes #7104
---
 source | 32 ++++++++++++++++++++++++--------
 1 file changed, 24 insertions(+), 8 deletions(-)

diff --git a/source b/source
index 5f5ddab208c..ce93377b57b 100644
--- a/source
+++ b/source
@@ -2482,6 +2482,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
      <li>the <dfn data-x-href="https://fetch.spec.whatwg.org/#requestdestination"><code>RequestDestination</code></dfn> enumeration</li>
      <li>the <dfn data-x-href="https://fetch.spec.whatwg.org/#dom-global-fetch"><code>fetch()</code></dfn> method</li>
      <li><dfn data-x="serialize-a-response-url-for-reporting" data-x-href="https://fetch.spec.whatwg.org/#serialize-a-response-url-for-reporting">serialize a response URL for reporting</dfn></li>
+     <li><dfn data-x="create-an-opaque-timing-info" data-x-href="https://fetch.spec.whatwg.org/l#create-an-opaque-timing-info">create an opaque timing info</dfn></li>
      <li>
       <dfn data-x="concept-response"
       data-x-href="https://fetch.spec.whatwg.org/#concept-response">response</dfn> and its
@@ -3964,6 +3965,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
      <li><dfn data-x="on-fetch-request-algorithm" data-x-href="https://w3c.github.io/ServiceWorker/#on-fetch-request-algorithm">handle fetch</dfn></li>
      <li><dfn data-x="scope-match-algorithm" data-x-href="https://w3c.github.io/ServiceWorker/#scope-match-algorithm">match service worker registration</dfn></li>
      <li><dfn data-x="dfn-service-worker" data-x-href="https://w3c.github.io/ServiceWorker/#dfn-service-worker">service worker</dfn></li>
+     <li><dfn data-x="service-worker-timing-info" data-x-href="https://w3c.github.io/ServiceWorker/#service-worker-timing-info">service worker timing info</dfn></li>
      <li><dfn data-x="serviceworkercontainer-service-worker-client" data-x-href="https://w3c.github.io/ServiceWorker/#serviceworkercontainer-service-worker-client">service worker client</dfn></li>
      <li><dfn data-x-href="https://w3c.github.io/ServiceWorker/#serviceworker"><code>ServiceWorker</code></dfn> interface</li>
      <li><dfn data-x-href="https://w3c.github.io/ServiceWorker/#serviceworkercontainer"><code>ServiceWorkerContainer</code></dfn> interface</li>
@@ -87520,16 +87522,30 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
    </li>
 
    <li><p>Let <var>redirectCount</var> be 0 if <var>navigationParams</var>'s <span
-   data-x="navigation-params-has-cross-origin-redirects">has cross-origin redirects</span> is true;
-   otherwise <var>navigationParams</var>'s <span data-x="navigation-params-request">request</span>'s
-   <span data-x="concept-request-redirect-count">redirect count</span>.
+    data-x="navigation-params-has-cross-origin-redirects">has cross-origin redirects</span> is
+    true; otherwise <var>navigationParams</var>'s
+    <span data-x="navigation-params-request">request</span>'s
+    <span data-x="concept-request-redirect-count">redirect count</span>.</p></li>
+
+   <li><p>Let <var>timingInfo</var> be the result of
+    <span data-x="create-an-opaque-timing-info">creating an opaque timing info</span> given
+    <var>navigationParams</var>'s <span data-x="navigation-params-response">response</span>'s
+    <span data-x="concept-response-timing-info">timing info</span> if <var>navigationParams</var>'s
+    <span data-x="navigation-params-has-cross-origin-redirects">has cross-origin redirects</span>
+    is true; otherwise <span data-x="navigation-params-response">response</span>'s
+    <span data-x="concept-response-timing-info">timing info</span>.</p></li>
+
+   <li><p>Let <var>serviceWorkerTimingInfo</var> be
+    a new <span data-x="service-worker-timing-info">service worker timing info</span>
+    if <var>navigationParams</var>'s <span
+    data-x="navigation-params-has-cross-origin-redirects">has cross-origin redirects</span> is
+    true; otherwise <span data-x="navigation-params-response">response</span>'s
+    <span data-x="concept-response-service-worker-timing-info">service worker timing info</span>.
+    </p></li>
 
    <li><p><span>Create the navigation timing entry</span> for <var>document</var>, with
-   <var>navigationParams</var>'s <span data-x="navigation-params-response">response</span>'s <span
-   data-x="concept-response-timing-info">timing info</span>,
-   <span data-x="navigation-params-response">response</span>'s <span
-   data-x="concept-response-service-worker-timing-info">service worker timing info</span>,
-   <var>redirectCount</var>, and <var>navigationType</var>.</p></li>
+    <var>timingInfo</var>, <var>serviceWorkerTimingInfo</var>, <var>redirectCount</var>, and
+    <var>navigationType</var>.</p></li>
 
    <li>
     <p>If <var>navigationParams</var>'s <span data-x="navigation-params-response">response</span>