Closed achristensen07 closed 1 year ago
(This is intended to be discussed at TPAC 2022)
Can you clarify if you're considering CORS same origin (cross origin with a CORS header etc) as same origin? CORS resources can already pass as much tracking information as they want
I'm not considering CORS same origin, though you are correct that CORS resources can already pass arbitrary information.
Motivating example from my slides at TPAC: Many webpages look like this:
<img src='https://example1.com/img.png'/>
<script src='https://example2.com/analytics'/>
With server timing, example1.com can now send unique identifiers to example2.com without modifying any content
Thanks for the concrete example! This makes discussing this significantly easier!
So, we have example1.com
which is already loading a passive resource (image) in the page and example2.com
that's loading an active resource (script). You are worried that the passive resource would be able to pass information read by the active one.
Given that both example1.com
and example2.com
can modify their content in order to pass along the required information, isn't it possible for the script included by example2.com
to load a CORS enabled image from example1.com
, and then use the image's non-opaque contents to read e.g. unique identifiers? (even if CSP prevents other, easier types of fetches)
It is indeed possible for example1.com to modify its content, but this is to increase the privacy when example1.com does not modify its content, which is quite common on the web.
@achristensen07 IIUC the HTML resource's origin (which is the one you're concerned doesn't modify its content) is neither example1.com
nor example2.com
, but something cross-site to both, right?
@jeremyroman You understand correctly.
This was discussed at TPAC, and there was agreement we can allow such UA liberties in the spec.
@achristensen07 - interesting in PRing something here?
I can make a PR.
Concerns about using server timing for tracking have prevented us from enabling PerformanceServerTiming in WebKit. If we limited it to same-origin even when TAO headers may be present, that would help us enable it.