Closed marcoscaceres closed 7 years ago
igrigorik
commented
7 years ago In addition to using the Timing-Allow-Origin HTTP response header, the server can also use relevant logic to control which metrics are returned, when, and to whom - e.g. the server may only provide certain metrics to correctly authenticated users and nothing at all to all others.
I propose we add "secure contexts" to above as a may.. given that the server is in full control here already.
marcoscaceres
commented
7 years ago My fear is that a third party (proxy) could manipulate the values in flight - so question is really is if this should be a TLS only feature?
igrigorik
commented
7 years ago Apologies about the delay..
I think we ought to align with ResourceTiming here, as the two are tightly coupled. In RT, we don't restrict to HTTPS and I think we should default to same behavior here.. After all, if the transfer is in the clear, third party proxies can already modify any headers and payload -- tampering with ST timestamps are probably the least interesting bit.
Closing, but feel free to reopen if you disagree :-)
Give the kind of details being transferred, we should probably restrict this API to secure contexts, no?