search

w3c / navigation-timing

Navigation Timing
https://w3c.github.io/navigation-timing/
Other
116 stars 30 forks source link

Can't determine whether there were no redirects or redirect failed timing allow check #73

Closed andydavies closed 7 years ago

andydavies commented 7 years ago

When timing allow check fails redirectCount is explicitly set to zero (https://w3c.github.io/navigation-timing/#dom-performancenavigationtiming-redirectcount)

This makes it impossible to determine whether there were actually no redirects or just the information isn't available due to security restrictions.

Is it possible to have an explicit signal on when information like this isn't available due to security restrictions?

yoavweiss commented 7 years ago

Similar discussion in RT: https://github.com/w3c/resource-timing/issues/42

I'm supportive of including an explicit "not allowed" signal as I see too many people struggle with it: In RT you need to make sure all Size attributes are 0 while responseEnd is not 0. In NT and redirects, there's no real way to know, and all in all, exposing this value directly is easy, and will avoid much of that confusion.

igrigorik commented 7 years ago

This makes it impossible to determine whether there were actually no redirects or just the information isn't available due to security restrictions.

Which, in itself, is a security precaution, right? Can you learn presence of a redirect via other means?

andydavies commented 7 years ago

Can you learn presence of a redirect via other means?

I'll dig into this a bit more but some random thoughts…

Unsure if referrer might give some hints in some situations (need to go re-read the spec)

Longer than 'normal' fetchStarts might also hint at redirects but could also be due to slow unload handlers on another site (with TAO), queuing in browser etc.

Even if a site owner adds a TAO header to pick up their own redirects they'll lose them if there's a third-party at the start of the chain e.g.

http://bit.ly/2sHIF0Y > http://andydavies.me > https://andydavies.me

If I want to do anything with redirects from a RUM PoV the only approach I can see at the moment is to ignore any where redirect count is zero but I've no way of telling how many positives I excluding

igrigorik commented 7 years ago

If I want to do anything with redirects from a RUM PoV the only approach I can see at the moment is to ignore any where redirect count is zero but I've no way of telling how many positives I excluding

In order to expose this data we need opt-in from the redirect origins. Exposing "failed" signal is, by itself, also leaking information that is otherwise not available.

Closing, as this behavior is by design. Feel free to reopen if you disagree. :)