Intent to Prototype: Expose coarsened cross-origin renderTime in elment timing/LCP (regardless of TAO)
Chromestatus
Contact emails
nrose...@chromium.org, mmo...@chromium.orgExplainer
NoneSpecification
NoneSummary
Element timing and LCP entries have a "renderTime" attribute, aligned with the first frame in which an image or text was painted. This attribute is currently guarded for cross-origin images by requiring a "Timing-Allow-Origin" header on the image resource. However, that restriction is easy to work around (e.g. by displaying a same-origin and cross-origin image in the same frame). Since this has been a source of confusion, we instead plan to remove this restriction, and instead coarsen all render times by 4ms when the document is not cross-origin-isolated. This is seemingly coarse enough to avoid leaking any useful decoding-time information about cross-origin images.
Blink component
Blink>PerformanceAPIsMotivation
People using the LCP/element-timing APIs are currently utterly confused about this, it comes up frequently. Zeroing the renderTime doesn't make a lot of security sense, so the confusion can be solved while providing a more suitable mitigation security-wise.
Initial public proposal
https://github.com/w3c/paint-timing/issues/104#issuecomment-2411775797TAG review
NoneTAG review status
PendingRisks
Interoperability and Compatibility
None
Gecko: No signal
WebKit: No signal
Web developers: No signals
Other signals:
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
None
Debuggability
None
Is this feature fully tested by web-platform-tests?
NoFlag name on chrome://flags
NoneFinch feature name
NoneNon-finch justification
NoneRequires code in //chrome?
FalseTracking bug
https://issues.chromium.org/issues/373263977Estimated milestones
No milestones specified