On Wednesday, November 13, 2024 at 1:14:43 PM UTC+1 Chromestatus wrote:
Contact emails nrosent...@chromium.org, mmo...@chromium.org Explainer https://github.com/w3c/paint-timing/blob/main/presentation- timestamps.md#security--privacy-self-review Specification https://w3c.github.io/paint-timing/#mark-paint-timing Design docs https://docs.google.com/document/d/1VxgMf1wlWzB4ViAW4ohkOe3AT0wQZ Kk7hC3IVq-cuw0/edit?tab=t.0#heading=h.fmic3y1ir4 Summary All element-timing and LCP performance entries would have a non-zero renderTime, even if they are cross-origin without Timing-Allow-Origin. All presentation timestamps (renderTime, paint timing start time, event timing end time) will be coarsened to a 4ms multiple to mitigate the risk of reading cross-origin image information. Blink component Blink>PerformanceAPIs <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EPerformanceAPIs> TAG review None I agree that given the lack of API shape changes, no TAG review is required. TAG review status Not applicable Risks Interoperability and Compatibility This would un-zero metrics in RUM dashboards, which is generally positive. The coarsening might move LCP/FCP metrics by ~2ms in average, which RUM providers should be notified on. Have y'all done some outreach? *Gecko*: Positive (https://github.com/mozilla/standards-positions/issues/191) Firefox are implementing LCP, however the current way render timing works (and the reason it needs to be coarsened) is implementation specific and not part of the spec. *WebKit*: N/A Safari currently does not expose precise render times, and does not intend to. *Web developers*: No signals *Other signals*: This was discussed in the WebPerfWG. See minutes: https://docs.google.com/document/d/1tw9QTHWvXg- loG6qaeeosOXTCeH41wst6MehQsc3WwM/edit?tab=t.0#heading=h.xlke2hcqy65x Security This exposes information that was not directly exposed before - render time of an image - however it was obtainable in other ways, by rendering a same-origin and cross-origin image in the same frame. By coarsening render times further, we improve on this situation despite the explicit exposure of that timestamp. WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? None Debuggability None Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)? No I'm guessing this should be "yes"? Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ? Yes https://wpt.fyi/results/largest-contentful-paint?label=experimental&label= master&aligned and https://wpt.fyi/results/element-timing?label= experimental&label=master&aligned had to be modified for this. Flag name on about://flags ExposeCoarsenedRenderTime Finch feature name ExposeCoarsenedRenderTime Requires code in //chrome? False Tracking bug https://issues.chromium.org/issues/373263977 Estimated milestones Shipping on desktop 133 Shipping on Android 133 Shipping on WebView 133 Anticipated spec changes Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way). Removing TAO restriction in paint-timing. Link to entry on the Chrome Platform Status https://chromestatus.com/ feature/5128261284397056?gate=5150397008969728 Links to previous Intent discussions Intent to Prototype: https://groups.google.com/a/chromium.org/d/msgid/blink- dev/670d4c25.2b0a0220.137ef7.096d.GAE%40google.com This intent message was generated by Chrome Platform Status <https://chromestatus.com>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/2ee40c16-d227-42ea-a34c-febd75ba0472n%40chromium.org.
