Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Test that we don't indirectly expose redirect timing #30978

Closed
wants to merge 1 commit into from
Closed

Test that we don't indirectly expose redirect timing #30978

wants to merge 1 commit into from

Conversation

noamr
Copy link
Contributor

@noamr noamr commented Sep 27, 2021

Exposing connection timing info such as domainLookupStart may expose the
fact that a cross-origin redirect has occured, information which should
be hidden.

This is fixed in whatwg/html#7105, and this
modifies the test to account for the new behavior.

@noamr
Test that we don't indirectly expose redirect timing
585d21d 
Exposing connection timing info such as domainLookupStart may expose the
fact that a cross-origin redirect has occured, information which should
be hidden.

This is fixed in whatwg/html#7105, and this
modifies the test to account for the new behavior.
@noamr noamr requested a review from yoavweiss September 27, 2021 09:19
yoavweiss
yoavweiss approved these changes Sep 27, 2021
View reviewed changes
Copy link
Contributor

@yoavweiss yoavweiss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@noamr
Copy link
Contributor Author

noamr commented Sep 27, 2021

Will merge once whatwg/html#7105 is approved.

@noamr noamr mentioned this pull request Sep 28, 2021
Closed
@sefeng211
Copy link
Contributor

I checked the obsolete interface for PerformanceNavigationTiming. It looks like only some of the timings require the cross-origin check such as redirectStart and redirectEnd. For things like domainLookupStart, we don't seem to do the cross-origin check.

What am I missing? Please feel free to educate me, Thanks!

@noamr
Copy link
Contributor Author

noamr commented Sep 30, 2021
edited
Loading

I checked the obsolete interface for PerformanceNavigationTiming. It looks like only some of the timings require the cross-origin check such as redirectStart and redirectEnd. For things like domainLookupStart, we don't seem to do the cross-origin check.

What am I missing? Please feel free to educate me, Thanks!

This is a proposed behavior change in the spec, to clarify that navigation timing should behave like resource timing in terms of the TAO-hidden properties. I filed the test and browser bugs together with the proposed spec change. see here.

@noamr noamr mentioned this pull request Sep 30, 2021
Open
@noamr noamr closed this Dec 1, 2021
@noamr noamr deleted the nav-timing-redirect branch December 1, 2021 12:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yoavweiss yoavweiss yoavweiss approved these changes

@igrigorik igrigorik Awaiting requested review from igrigorik

@plehegar plehegar Awaiting requested review from plehegar

Assignees

@yoavweiss yoavweiss

Labels
navigation-timing wg-webperf
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@noamr @sefeng211 @yoavweiss @wpt-pr-bot