User Agent may want to restrict cross-origin transferSize/encodedBodySize/decodedBodySize visibility even with TAO

w3c / resource-timing

Resource Timing

https://w3c.github.io/resource-timing/

Other

119 stars 35 forks source link

User Agent may want to restrict cross-origin transferSize/encodedBodySize/decodedBodySize visibility even with TAO #342

Closed achristensen07 closed 1 year ago

achristensen07 commented 1 year ago

Doing so would prevent a side-channel to gather data even from origins that send TAO headers. Similar to https://github.com/w3c/server-timing/issues/89 which proposes a similar restriction for Server Timing.

yoavweiss commented 1 year ago

This was discussed at TPAC, and there was agreement we can allow such UA liberties in the spec.

@achristensen07 - Are you interested in submitting a PR to that effect?

achristensen07 commented 1 year ago

I can make a PR