Support for Timing-Allow-Origin

[bessey]

From the Resource Timing API Docs

Note: When CORS is in effect, many of these values are returned as zero unless the server's access policy permits these values to be shared. This requires the server providing the resource to send the Timing-Allow-Origin HTTP response header with a value specifying the origin or origins which are allowed to get the restricted timestamp values.

While not strictly CORS, they are closely related enough that I feel that support for configuring this header would fit nicely in rack-cors. We at least would have identical values for our CORS origins and timing origins.

Open to a PR? Would we expect an API like

Rack::Cors do
  allow do
    origins CORS_REGEX
    allow_timing true
  end
end

or

Rack::Cors do
  allow do
    origins CORS_REGEX
    timing_origins TIMING_SPECIFIC_REGEX
  end
end

[cyu]

Would be happy to take a PR. I prefer the first option.

[bessey]

FYI We've already done the work to handle this up the stack, so I won't be pushing this forward after all.

[tinynumbers]

FYI We've already done the work to handle this up the stack, so I won't be pushing this forward after all.

Are you able to share code showing how you handled this?

[bessey]

I meant outside the application. We're adding the headers in AWS cloudfront

On Fri, 9 Dec 2022, 19:33 David Daniell, @.***> wrote:

FYI We've already done the work to handle this up the stack, so I won't be pushing this forward after all.

Are you able to share code showing how you handled this?

— Reply to this email directly, view it on GitHub https://github.com/cyu/rack-cors/issues/240#issuecomment-1344851263, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAFM42FGZAJNOVD57ZJX7CLWMOXSXANCNFSM57TYVL6A . You are receiving this because you authored the thread.Message ID: @.***>

[cyu]

Closing this issue for now. Again, I will welcome a PR.