Contact emails nrosent...@chromium.org, mmo...@chromium.org
Explainer None Specification None Summary Element timing and LCP entries have a "renderTime" attribute, aligned with the first frame in which an image or text was painted. This attribute is currently guarded for cross-origin images by requiring a "Timing-Allow-Origin" header on the image resource. However, that restriction is easy to work around (eg by displaying a same-origin and cross-origin image in the same frame). Since this has been a source of confusion, we instead plan to remove this restriction, and instead coarsen all render times by 4ms when the document is not cross-origin-isolated. This is seemingly coarse enough to avoid leaking any useful decoding-time information about cross-origin images. Blink component Blink>PerformanceAPIs Motivation People using the LCP/element-timing APIs are currently utterly confused about this, it comes up frequently. Zeroing the renderTime doesn't make a lot of security sense, so the confusion can be solved while providing a more suitable mitigation security-wise. Initial public proposal https://github.com/w3c/paint-timing/issues/104#issuecomment-2411775797 TAG review None TAG review status Pending Risks Interoperability and Compatibility None Gecko: No signal WebKit: No signal Web developers: No signals Other signals: WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? None Debuggability None Is this feature fully tested by web-platform-tests? No Flag name on chrome://flags None Finch feature name None Non-finch justification None Requires code in //chrome? False Tracking bug https://issues.chromium.org/issues/373263977 Estimated milestones No milestones specified Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5128261284397056?gate=5089084605988864 This intent message was generated by Chrome Platform Status. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/670d4c25.2b0a0220.137ef7.096d.GAE%40google.com.
