Hi, I'd like to change the timing allow check <https://fetch.spec.whatwg.org/#tao-check> used in Resource Timing so that it accounts for the tainted origin flag. The tainted origin flag is set once we see two cross-origin crosses in a redirect chain. Currently in Chrome we'd ignore this flag, whereas we propose requiring "*" in order to pass the check, which aligns with CORS behavior.
What this means is that if there is a redirect chain A -> B -> C then the header in C cannot be a specific origin because the tainted origin flag is set, so it must be "*" in order for the timing allow check to pass and the PerformanceResourceTiming entry to get detailed timing information. There is a test for this here https://wpt.fyi/results/resource-timing/tao-origin-SO-XO-SO-redirect-chain.https.html?label=master&label=experimental&aligned (A -> B -> A) but I'm not sure how to interpret that it times out in Safari so would be nice to know if you support this change (it may already work properly in Safari, but hard for me to know). Thanks!
_______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev