[PSA] Resource-Timing for cross-origin iframes: change in behavior
26 views
Skip to first unread message
Noam Rosenthal
Jan 11, 2023, 12:11:42 PM1/11/23
to blink-dev
Today IFrames (and objects etc) report their resource timing of their first src to their parent, and if they're cross origin and fail a Timing-Allow-Origin (TAO) check, the reported values are only the start/end of the fetch.
The behavior change is that for cross-origin iframes that fail TAO, we report the load event time as the end time rather than the response EOF. This avoids exposing extra information about them, which is somewhat of a cross-origin leak.
The other change is that when an iframe changes src, the resulting fetch is also reported (up until now only the first src was reported).
The new behavior also makes complex scenarios such as IFrame restoring clearer.
- When we set the src, we save that time as the navigation time
- If the iframe passed TAO and finished, we report its full resource timing
- If the iframe reaches the load event without reporting resource timing, we report the navigation time -> load event as the resource timing for that iframe.
This is about to be merged into the HTML/Fetch specs:
https://github.com/whatwg/fetch/pull/1579
https://github.com/whatwg/html/pull/8643
Original issue:
https://github.com/w3c/resource-timing/issues/340
https://github.com/whatwg/html/pull/8643
Original issue:
https://github.com/w3c/resource-timing/issues/340
CL:
https://chromium-review.googlesource.com/c/chromium/src/+/4145963
Bug:
https://bugs.chromium.org/p/chromium/issues/detail?id=1404695
This was also discussed at TPAC 2022.
Bug:
https://bugs.chromium.org/p/chromium/issues/detail?id=1404695
This was also discussed at TPAC 2022.
Reply all
Reply to author
Forward
0 new messages