Hey, in
https://github.com/w3c/resource-timing/issues/12 folks are
looking for Mozilla to give some kind of security sign off. It's still
not entirely clear to me how we do this kind of thing as an
organization so I thought I'd ask here.
In particular, I know in the past we've been conservative revealing
the specifics of network failures, even when it comes to same-origin
communication. The outcome is that a ton of APIs expose that kind of
thing binary, either it works or it didn't.
Now
https://w3c.github.io/resource-timing/ promises to give detailed
information, even cross-origin if the resource on the other side opted
in, for DNS, TLS, HTTP, etc. timing, even when the resource could not
be completely obtained (the timings for the bits where it started
failing will be zero).
It's not entirely clear to me if this enables new attacks, and of what
nature, but it does seem like a significant shift in policy from the
tried and true binary approach.
Input appreciated.
--
https://annevankesteren.nl/