[Webkit-unassigned] [Bug 184627] New: TAO not working when multiple "Timing-Allow-Origin: *" headers are present in the HTTP header
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Apr 13 22:01:08 PDT 2018
Bug ID: 184627
Summary: TAO not working when multiple "Timing-Allow-Origin: *"
headers are present in the HTTP header
Version: Safari 11
Component: WebKit API
Assignee: webkit-unassigned at lists.webkit.org
Reporter: ugoel at akamai.com
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
Steps to reproduce the problem:
1. Visit http://dev.utkarshgoel.in/index_nonminify.html and monitor the network activity in the devTools.
This page downloads resources from three origins: dev.utkarshgoel.in, dev1.utkarshgoel, and dev2.utkarshgoel.in. Resources downloaded from all three origins have the "Timing-Allow-Origin: *" HTTP header present.
In my testcase, I made the server add multiple "Timing-Allow-origin: *" headers for the origin "dev2.utkarshgoel.in".
2. Observe the network activity as the page loads to identify the resource downloaded from the origin "dev2.utkarshgoel.in". The resource should be http://dev2.utkarshgoel.in/docs/utkarsh-goel-resume.pdf and should have two occurrences of the header "Timing-Allow-Origin: *".
Next, type in the console:
to check the value of "domainLookupStart" for this resource. This value will be 0, even when the "Timing-Allow-Origin: *" header was present for this resource's HTTP header.
3. Next, observe the network activity to identify the resource downloaded form the origin "dev1.utkarshgoel.in". This resource should be http://dev1.utkarshgoel.in/misc.html and has only one occurrence of the "Timing-Allow-Origin: *" header
In the console, type:
and find this resource's "domainLookupStart" value. This value will be greater than 0. This indicates that the Timing-Allow-Origin worked as expected for the origin dev1.utkarshgoel.in, allowing the origin "dev.utkarshgoel.in" to access the timing information for the resource from "dev1.utkarshgoel.in".
What is the expected behavior?
The browser should have made available the timing information for the resource downloaded from the origin "dev2.utkarshgoel.in" because it had the "Timing-Allow-Origin: *" present in the HTTP header
What went wrong?
Since the browser received multiple "Timing-Allow-Origin: *" headers, it concatenated the values present on all the "Timing-Allow-Origin" header, which resulted in the final value of "*, *". This value neither matched the origin name "dev.utkarshgoel.in" nor it matched the wildcard hostname "*".
Did this work before? No
Does this work in other browsers? No
The same bug also applies to Chromium. I have filed the same bug there at https://bugs.chromium.org/p/chromium/issues/detail?id=833032
This bug is related to the Resource timing API
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the webkit-unassigned