[webkit-dev] Request for position: tainted origin flag affecting Timing Allow Origin

Nicolás Peña Moreno npm at google.com
Thu Apr 15 14:11:56 PDT 2021


Hi, I'd like to change the timing allow check
<https://fetch.spec.whatwg.org/#tao-check> used in Resource Timing so that
it accounts for the tainted origin flag. The tainted origin flag is set
once we see two cross-origin crosses in a redirect chain. Currently in
Chrome we'd ignore this flag, whereas we propose requiring "*" in order to
pass the check, which aligns with CORS behavior.

What this means is that if there is a redirect chain A -> B -> C then the
header in C cannot be a specific origin because the tainted origin flag is
set, so it must be "*" in order for the timing allow check to pass and the
PerformanceResourceTiming entry to get detailed timing information. There
is a test for this here
https://wpt.fyi/results/resource-timing/tao-origin-SO-XO-SO-redirect-chain.https.html?label=master&label=experimental&aligned
(A -> B -> A) but I'm not sure how to interpret that it times out in Safari
so would be nice to know if you support this change (it may already work
properly in Safari, but hard for me to know). Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20210415/4c9b9abe/attachment.htm>


More information about the webkit-dev mailing list