Improve TAO definition #197
Conversation
| @@ -518,8 +515,7 @@ <h3>The <dfn>PerformanceResourceTiming</dfn> Interface</h3> | |||
| <a data-cite="HTML#or-equivalent" data-lt= | |||
| 'HTTP response codes equivalence'>equivalent</a> when <a data-cite= | |||
| "FETCH#concept-fetch" data-lt='fetch'>fetching</a> the resource and | |||
| <strong>all</strong> the redirects or equivalent pass the <a>timing | |||
| allow check</a> algorithm.</li> | |||
| the resource passes the <a>timing allow check</a> algorithm.</li> | |||
There was a problem hiding this comment.
removed the "all the redirects" reference as it is now implied by passing TAO
| @@ -933,8 +916,8 @@ <h3>Cross-origin Resources</h3> | |||
| <a data-cite= | |||
| "PERFORMANCE-TIMELINE-2#performance-timeline">Performance | |||
| Timeline</a>. If the <a>timing allow check</a> algorithm fails for | |||
| a <a>cross-origin</a> resource, these attributes of its | |||
| <a>PerformanceResourceTiming</a> object MUST be set to zero: | |||
| a resource, these attributes of its <a>PerformanceResourceTiming</a> | |||
There was a problem hiding this comment.
removed the "cross-origin" wording, as we want the check to run on same-origin resources as well
index.html
Outdated
| of the <a>current document</a>'s <a | ||
| data-cite="DOM#concept-document-origin">origin</a>, nor a | ||
| wildcard ("<code>*</code>"), and <var>tainted</var> is | ||
| true, return <code>fail</code>.</p></li> |
There was a problem hiding this comment.
I don't get the point of this variable. We do need to check any cross-origins but what happens if we have a redirect from the cross-origin to the original origin (same-origin)? Then we'd need to include ourselves in the TAO header list?
There was a problem hiding this comment.
I think so (either ourselves or '*')
There was a problem hiding this comment.
And why is this needed for TAO? This would require websites to whitelist themselves, which does not seem like what we want.
index.html
Outdated
| <li><p>If the resource's <a>Request</a>'s <a | ||
| data-cite="FETCH#concept-request-window">window</a> is not an <a | ||
| data-cite="HTML/webapppapis.html#environment-settings-object">environment | ||
| settings object</a>, set tainted to true</p></li> |
There was a problem hiding this comment.
@annevk - can you double check that this part makes sense? Added it to avoid trying to look at the origin of a client that's not a settings object
There was a problem hiding this comment.
I recommend using https://fetch.spec.whatwg.org/#concept-request-origin for comparisons.
yoavweiss
changed the title
index.html
Outdated
| @@ -958,7 +940,7 @@ <h4><code>Timing-Allow-Origin</code> Response Header</h4> | |||
| Timing-Allow-Origin = 1#( <a data-cite= | |||
| "FETCH#origin-header">origin-or-null</a> / <a data-cite= | |||
| "FETCH#http-new-header-syntax">wildcard</a> ) | |||
| </pre> | |||
| </pre> | |||
There was a problem hiding this comment.
In my preview this is showing the content has changed to a bunch of lines instead of a single line
There was a problem hiding this comment.
I reverted that change and still see it in the diff... Preview seems fine though
Supersedes #172 and improves on #196 by aligning with the CORS model, even if in a handwavy way for now.
Preview | Diff