resource-timing icon indicating copy to clipboard operation
resource-timing copied to clipboard

Published 20 hours ago verified publisher icon w3c

Make TAO a subset of CORS

Open yoavweiss opened this issue 7 years ago • 5 comments

The current timing allow check algorithm does not take CORS into account. Effectively that means that even when a response is not opaque and its contents can be inspected by script, its detailed timing information will not be available.

I believe that if a request's response is available for inspection, its timing information cannot reveal any new information, so there's no reason for us to gate it on the presence of TAO headers. Therefore, I propose to further integrate the timing allow check with the CORS check, so that if the latter passes, the former passes as well.

/cc @annevk

yoavweiss avatar Nov 13 '18 08:11 yoavweiss

I agree with what you're going for here, but to be clear, you cannot perform a CORS check on an arbitrary response. If you fetch something with mode "cors" and you get a response, all is good. You want https://html.spec.whatwg.org/#cors-same-origin which at some point we should uplift to Fetch I suppose. (This is also what's wrong with the timing allow check and putting the focus on that. It's really a property of the entire fetching process as this kind of check needs to be applied to each applicable redirect, etc.)

annevk avatar Nov 13 '18 08:11 annevk

Discussed on the WG call:

  • This will require a security/privacy review to make sure this doesn't enable any attack scenarios
  • We need to evaluate the impact (AI on @nicjansma & @yoavweiss to gather data)
  • This requires Fetch integration, so makes sense to push this to L3

yoavweiss avatar Nov 27 '18 20:11 yoavweiss

I don't think it makes sense to continue pushing everyone out that requires Fetch integration, as you're effectively postponing rather critical infrastructure issues.

annevk avatar Nov 28 '18 07:11 annevk

@annevk - opened https://github.com/w3c/resource-timing/issues/179 as this is an orthogonal discussion to this specific issue. Let's have it there.

yoavweiss avatar Nov 28 '18 09:11 yoavweiss

I did a crawl of the Alexa 1K and split resources out into 4 categories:

  • Fully Visible: Available in ResourceTiming and have full timing information (same-origin or have TAO)
  • Restricted: Available in ResourceTiming and have partial timing (cross-origin without TAO)
    • Allowed by CORS: Restricted entries that have a ACAO header
  • Missing: Not available in ResourceTiming (fetched from a cross-origin IFRAME)

Here's the Alexa 1K totals:

  • Resources: 106,152
    • Fully Visible: 29,497 (27%)
    • Restricted: 56,889 (53.5%)
      • Allowed by CORS: 23,991 (42% of Restricted)
    • Missing: 19,766 (18%)

So if we were to apply the CORS check if TAO is missing, around 42% of Restricted entries could made Fully Visible, and the overall Fully Visible entries might increase from around 27% to around 50%.

(note I didn't verify if the ACAO header satisfies the CORS check, just the existence of one)

nicjansma avatar Jan 08 '19 14:01 nicjansma