w3c / server-timing

Server Timing
http://w3c.github.io/server-timing/
Other
75 stars 20 forks source link

Privacy and Security section should mention that a user agent may choose to not expose cross-origin PerformanceServerTiming entries even with TAO #89

Closed achristensen07 closed 1 year ago

achristensen07 commented 2 years ago

Concerns about using server timing for tracking have prevented us from enabling PerformanceServerTiming in WebKit. If we limited it to same-origin even when TAO headers may be present, that would help us enable it.

achristensen07 commented 2 years ago

(This is intended to be discussed at TPAC 2022)

noamr commented 2 years ago

Can you clarify if you're considering CORS same origin (cross origin with a CORS header etc) as same origin? CORS resources can already pass as much tracking information as they want

achristensen07 commented 2 years ago

I'm not considering CORS same origin, though you are correct that CORS resources can already pass arbitrary information.

achristensen07 commented 2 years ago

Motivating example from my slides at TPAC: Many webpages look like this:

<img src='https://example1.com/img.png'/> <script src='https://example2.com/analytics'/>

With server timing, example1.com can now send unique identifiers to example2.com without modifying any content

yoavweiss commented 2 years ago

Thanks for the concrete example! This makes discussing this significantly easier!

So, we have example1.com which is already loading a passive resource (image) in the page and example2.com that's loading an active resource (script). You are worried that the passive resource would be able to pass information read by the active one.

Given that both example1.com and example2.com can modify their content in order to pass along the required information, isn't it possible for the script included by example2.com to load a CORS enabled image from example1.com, and then use the image's non-opaque contents to read e.g. unique identifiers? (even if CSP prevents other, easier types of fetches)

achristensen07 commented 2 years ago

It is indeed possible for example1.com to modify its content, but this is to increase the privacy when example1.com does not modify its content, which is quite common on the web.

jeremyroman commented 2 years ago

@achristensen07 IIUC the HTML resource's origin (which is the one you're concerned doesn't modify its content) is neither example1.com nor example2.com, but something cross-site to both, right?

achristensen07 commented 2 years ago

@jeremyroman You understand correctly.

yoavweiss commented 1 year ago

This was discussed at TPAC, and there was agreement we can allow such UA liberties in the spec.

@achristensen07 - interesting in PRing something here?

achristensen07 commented 1 year ago

I can make a PR.