[Webkit-unassigned] [Bug 184627] New: TAO not working when multiple "Timing-Allow-Origin: *" headers are present in the HTTP header

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Apr 13 22:01:08 PDT 2018


            Bug ID: 184627
           Summary: TAO not working when multiple "Timing-Allow-Origin: *"
                    headers are present in the HTTP header
           Product: WebKit
           Version: Safari 11
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit API
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ugoel at akamai.com

UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36

Steps to reproduce the problem:
1. Visit http://dev.utkarshgoel.in/index_nonminify.html and monitor the network activity in the devTools. 

This page downloads resources from three origins: dev.utkarshgoel.in, dev1.utkarshgoel, and dev2.utkarshgoel.in. Resources downloaded from all three origins have the "Timing-Allow-Origin: *" HTTP header present. 

In my testcase, I made the server add multiple "Timing-Allow-origin: *" headers for the origin  "dev2.utkarshgoel.in".

2. Observe the network activity as the page loads to identify the resource downloaded from the origin "dev2.utkarshgoel.in". The resource should be http://dev2.utkarshgoel.in/docs/utkarsh-goel-resume.pdf and should have two occurrences of the header "Timing-Allow-Origin: *".

Next, type in the console: 

to check the value of "domainLookupStart" for this resource. This value will be 0, even when the "Timing-Allow-Origin: *" header was present for this resource's HTTP header.

3. Next, observe the network activity to identify the resource downloaded form the origin "dev1.utkarshgoel.in". This resource should be http://dev1.utkarshgoel.in/misc.html and has only one occurrence of the "Timing-Allow-Origin: *" header

In the console, type:


and find this resource's "domainLookupStart" value. This value will be greater than 0. This indicates that the Timing-Allow-Origin worked as expected for the origin dev1.utkarshgoel.in, allowing the origin "dev.utkarshgoel.in" to access the timing information for the resource from "dev1.utkarshgoel.in".

What is the expected behavior?
The browser should have made available the timing information for the resource downloaded from the origin "dev2.utkarshgoel.in" because it had the "Timing-Allow-Origin: *" present in the HTTP header

What went wrong?
Since the browser received multiple "Timing-Allow-Origin: *" headers, it concatenated the values present on all the "Timing-Allow-Origin" header, which resulted in the final value of "*, *". This value neither matched the origin name "dev.utkarshgoel.in" nor it matched the wildcard hostname "*". 

Did this work before? No 

Does this work in other browsers? No
 The same bug also applies to Chromium. I have filed the same bug there at https://bugs.chromium.org/p/chromium/issues/detail?id=833032

This bug is related to the Resource timing API

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180414/8cf67f63/attachment.html>

More information about the webkit-unassigned mailing list