Hide TAO-protected timing info from navigation timing when cross-origin redirects are present #7104
Comments
noamr
added a commit
to noamr/fetch
that referenced
this issue
Sep 23, 2021
This is needed for whatwg/html#7104 and later on for whatwg#1215. Navigation timing reports the timing info from the HTML spec, so it needs a mechanism to obfuscate the internals. So far that obfuscation was internal to fetch and was done upon reporting.
noamr
added a commit
to noamr/html
that referenced
this issue
Sep 23, 2021
When a navigation includes cross-origin redirects, the navigation timing entry should not include information about redirect timing and internal network timing, as that may expose cross-origin timing information. This is already implemented and tested, but has been omitted when refactoring the navigation timing spec into HTML. Closes whatwg#7104
noamr
added a commit
to noamr/html
that referenced
this issue
Sep 23, 2021
When a navigation includes cross-origin redirects, the navigation timing entry should not include information about redirect timing and internal network timing, as that may expose cross-origin timing information. This is already implemented and tested, but has been omitted when refactoring the navigation timing spec into HTML. Closes whatwg#7104
20 tasks
noamr
added a commit
to noamr/html
that referenced
this issue
Sep 29, 2021
When a navigation includes cross-origin redirects, the navigation timing entry should not include information about redirect timing and internal network timing, as that may expose cross-origin timing information. This is already implemented and tested, but has been omitted when refactoring the navigation timing spec into HTML. Closes whatwg#7104
annevk
pushed a commit
to whatwg/fetch
that referenced
this issue
Sep 30, 2021
This is needed for whatwg/html#7104 and #1215.
noamr
added a commit
to noamr/html
that referenced
this issue
Jan 17, 2022
When a navigation includes cross-origin redirects, the navigation timing entry should not include information about redirect timing and internal network timing, as that may expose cross-origin timing information. This is already implemented and tested, but has been omitted when refactoring the navigation timing spec into HTML. Closes whatwg#7104
noamr
added a commit
to noamr/html
that referenced
this issue
Feb 8, 2022
When a navigation includes cross-origin redirects, the navigation timing entry should not include information about redirect timing and internal network timing, as that may expose cross-origin timing information. This is already implemented and tested, but has been omitted when refactoring the navigation timing spec into HTML. Closes whatwg#7104
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
and others
See w3c/navigation-timing#158
Currently the spec only hides the internal timing information for non-navigation resources.
It should also hide them for navigation timing, regardless of TAO.
This clarifies behavior of existing test, web-platform-tests/wpt#25679
The text was updated successfully, but these errors were encountered: