Prepare for FETCH integration #261
Conversation
|
@yoavweiss @annevk: this is how the FETCH integration would look like from the RT side. |
- Remove duplicates that are moved to FETCH - Add an exported algorithm to mark resource timing
|
Some explanation:
|
When response is a network error or body is fully read, finalize and report the response. Depends on whatwg/fetch#1185 See: w3c/resource-timing#261 and w3c/resource-timing#252
When response is a network error or body is fully read, finalize and report the response. Depends on whatwg/fetch#1185 See: w3c/resource-timing#261 and w3c/resource-timing#252
There was a problem hiding this comment.
I really like how this becomes an API just returning values from a model rather than a bunch of prose you have to mentally parse into a model.
One thing I realized is that with our current approach to timers we leave the raw time vulnerable to Spectre attacks. Implementations can probably invert it, but hmm.
index.html
Outdated
| <li>If the fetched resource results in an HTTP redirect or | ||
| <a data-cite="HTML#or-equivalent" data-lt= | ||
| 'HTTP response codes equivalence'>equivalent</a>, then | ||
| <li><a>Queue a global task</a> on the <a>networking task source</a> with |
There was a problem hiding this comment.
Why do we need a task here? Aren't we already on a task so this can be done synchronously?
There was a problem hiding this comment.
Not necessarily. Someone needs to queue a task on the global object. We can have FETCH queue this task on the taskDestination instead, but there is no guarantee that it's the global object.
Since we anyway need a global object for the time origin, I thought making this re-entrant and queue it here would be right, but open to do this in a different way.
There was a problem hiding this comment.
One thing I realized is that with our current approach to timers we leave the raw time vulnerable to Spectre attacks. Implementations can probably invert it, but hmm.
Do you mean that we leave the raw timers in the renderer's memory, and a Spectre attacker can use low resolution timers to steal high-resolution timers and amplify the attacks?
index.html
Outdated
| response end time</a> minus <a>this</a>'s | ||
| <p data-dfn-for="PerformanceResourceTiming">On getting, the <dfn>workerStart</dfn> attribute | ||
| returns the result of calling <a>convert fetch timestamp</a> for <a>this</a>'s | ||
| <a data-for="PerformanceResourceTiming">timing info</a>'s <a for="fetch timing info"> |
There was a problem hiding this comment.
Might be interesting to abstract the boilerplate away from all these getters, but I'm not sure if/how we can do that. @annevk - thoughts?
There was a problem hiding this comment.
The modern style would be:
The X getter steps are to return the result of calling ...
For the latter part, we'd have to do the conversion earlier somehow.
This seems true, but I'm not sure I see the risk. If the attacker has a timer that's good enough to use Spectre-like attacks to access the raw timer, then they don't need the raw timer in the first place. |
|
In theory raw timers could be used for cross-process attacks. In practice this is probably infeasible, but it's always nice if the model is the best it can be. There might also be some fingerprinting risks. If I help out figuring out how we can do this, would you be okay with it? (It seems to me that fetch has access to the cross-origin isolated capability through the client so we could use that to obtain a time in the granularity we need, although this will need a new hook.) Note that this would also solve the boilerplate issue @yoavweiss mentioned above. |
|
I'm not sure it's essential, but if there's a reasonable way to spec things such that we don't need to store the information in a renderer, wonderful! I'd certainly support that, and as you say, it does seem possible for resource timing. |
You mean, coarsen the timestamps earlier and not when they're accessed through the getter? |
|
Yeah, exactly. |
Fetch needs to obtain time values from in parallel and would like to avoid having to store raw time values and hand these over to "attacker" agent clusters. I also changed some unordered lists to ordered lists as they are sequences of steps. (As discussed in w3c/resource-timing#261.)
noamr
changed the title
index.html
Outdated
| <a>global object</a> |global|, do the following: | ||
| <ol> | ||
| <li>If |ts| is zero, return zero. | ||
| <li>Otherwise, return the <a>relative high resolution time</a> given |ts| and |global|. |
There was a problem hiding this comment.
This now coarsens |ts| twice. I'm not sure if that's a problem?
There was a problem hiding this comment.
It's not. But I think it doesn't need to be re-coarsened. Let me check if it can be improved
There was a problem hiding this comment.
Yeah, coarsening twice is not ideal. Maybe we can expose the diff algorithm from the timestamps to the timeorigin as a separate algorithm?
There was a problem hiding this comment.
Why not. once w3c/hr-time#114 is in I'll amend this one.
|
|
index.html
Outdated
| <a>global object</a> |global|, do the following: | ||
| <ol> | ||
| <li>If |ts| is zero, return zero. | ||
| <li>Otherwise, return the <a>relative high resolution time</a> given |ts| and |global|. |
There was a problem hiding this comment.
Yeah, coarsening twice is not ideal. Maybe we can expose the diff algorithm from the timestamps to the timeorigin as a separate algorithm?
This defines the foundation for the PerformanceResourceTiming API and its properties. Note that the names used here are not a 1:1 match, e.g., post-redirect start time is fetchStart in the API. Note that Fetch doesn't decide when to create and enqueue PerformanceResourceTiming objects, but rather creates a data structure that holds the different time values, and it's up to the caller to invoke the newly-added finalize and report timing. Fetch also has a new callback, processResponseDone, for when the response errors or EOFs, which lets callers like the fetch() API invoke finalize and report timing at the right time. This change also makes fetch() adopt that. It's the first phase for addressing w3c/resource-timing#252, which contains a link to the other required steps to address Resource Timing/Navigation Timing/HTML/Fetch integration. Corresponding Resource Timing PR: w3c/resource-timing#261. (Once that lands there'll be a subsequent change to Fetch to resolve the remaining TODO.) Co-authored-by: Anne van Kesteren <[email protected]>
For resource-timing, we pre-coarsen the timestamps before they can be converted to relative timestamps, so the inermediate algorithm to calculate the relative timestamp from a pre-coarsened absolulte timestamp is needed. See w3c/resource-timing#261
| <ol> | ||
| <li>If the resource's <a>Request</a>'s | ||
| <a data-cite="Fetch#concept-request-destination">destination</a> equals to | ||
| "document", set <a>workerStart</a> to zero. |
There was a problem hiding this comment.
Here I believe the Fetch integration resulted in setting workerStart to zero for all destinations. I think it's cleaner, but it's a behavior change so we want to make sure implementations align with that.
We should file bugs and add tests on that front.
There was a problem hiding this comment.
/cc @wanderview in case he has opinions given past discussion
There was a problem hiding this comment.
Can you open a Resource Timing issue on the fact that we need better tests here to verify the new behavior? (as well as reporting that as an implementation issues)
index.html
Outdated
| section.</p> | ||
| <section id="sec-timing-allow-origin"> | ||
| <h4><code>Timing-Allow-Origin</code> Response Header</h4> | ||
| <p class="note">This section is non-normative.</p> |
There was a problem hiding this comment.
This section should be normative.
index.html
Outdated
| separated by a comma.</p> | ||
| <p>The <dfn>timing allow check</dfn> algorithm, which checks | ||
| <h3>Cross-origin Resources</h3> | ||
| <p class="note" data-dfn-for="PerformanceResourceTiming">As detailed in [=fetch=], |
index.html
Outdated
| cross-origin resources are included as <a>PerformanceResourceTiming</a> objects in the | ||
| <a data-cite="PERFORMANCE-TIMELINE-2#performance-timeline">Performance | ||
| Timeline</a>. If the <a href="FETCH#concept-tao-check">timing allow check</a> algorithm | ||
| fails for a resource, these attributes of its <a>PerformanceResourceTiming</a> |
There was a problem hiding this comment.
Nit: s/these/the following/
|
Opened HTML issue whatwg/html#6542 to track specific elements that should/shouldn't be integrated. |
index.html
Outdated
| @@ -254,7 +259,7 @@ <h3>Resources Included in the <a>PerformanceResourceTiming</a> | |||
| <a data-cite= | |||
| "PERFORMANCE-TIMELINE-2#performance-timeline">Performance | |||
| Timeline</a>, unless excluded from the timeline as part of the <a | |||
| href="#processing-model">processing model</a>. | |||
| href="FETCH#concept-fetch">fetching process</a>. | |||
There was a problem hiding this comment.
This link does not seem to work in the Preview. Is this a Preview bug or does it need to be fixed?
index.html
Outdated
| "FETCH#concept-fetch">fetch</a> redirected to a different URL.</dd> | ||
| <dt><dfn>name</dfn> | ||
| <dd>The <a>name</a> getter steps are to return the | ||
| <a data-for="PerformanceResourceTiming">requested URL</a> |
There was a problem hiding this comment.
The requested URL of who? I think you need to use this. Also, nit: no period at end of sentence.
index.html
Outdated
| Otherwise, this attribute MUST return the same value as | ||
| <a>fetchStart</a>.</dd> | ||
| <dd><p data-dfn-for="PerformanceResourceTiming">The <a>startTime</a> getter | ||
| steps are to <a>convert fetch timestamp</a> for <a>this</a>' |
There was a problem hiding this comment.
nit: sadly it would be this's, here and throughout.
index.html
Outdated
| respectively.</dd> | ||
| <dd> | ||
| <p data-dfn-for="PerformanceResourceTiming">The <a>duration</a> getter | ||
| steps are to <a>convert fetch timestamp</a> for <a>this</a>' |
There was a problem hiding this comment.
convert fetch timestamp receives two parameters, so you need to add the relevant global in both uses here. Alternatively, maybe it always uses the context object's global object so you could get rid of the second parameter there?
index.html
Outdated
| "HTML#resolve-a-url">resolved URL</a> of the requested resource. | ||
| This attribute MUST NOT change even if the <a data-cite= | ||
| "FETCH#concept-fetch">fetch</a> redirected to a different URL.</dd> | ||
| <dt><dfn>name</dfn> |
There was a problem hiding this comment.
It seems more logical to me to place this after the IDL and after announcing the associated values to the object (some of them used in here). So basically I suggest moving this to right before JSON
index.html
Outdated
| is called, run [[WEBIDL]]'s <a data-cite= | ||
| "WEBIDL#default-tojson-operation">default toJSON operation</a>.</p> | ||
| <p data-dfn-for="PerformanceResourceTiming"> | ||
| <dfn>initiatorType</dfn> getter steps would be to return the |
There was a problem hiding this comment.
nit: "The initiatorType getter steps are to return", for consistency with the rest?
index.html
Outdated
| info</a>'s [=fetch timing info/final connection timing info=]'s | ||
| [=connection timing info/domain lookup start time=] and the <a>relevant global object</a> for | ||
| <a>this</a>. | ||
| See <a data-cite="FETCH#concept-recording-connection-timing-info">Recording connection timing |
There was a problem hiding this comment.
I guess this link will only work after landing the FETCH part? Not currently linking to anything
index.html
Outdated
| explicitly allow all timing information to be collected for a | ||
| resource by adding the <a>Timing-Allow-Origin</a> HTTP response | ||
| resource by adding the [=request/timing allow failed flag|Timing Allow Origin=] HTTP response |
There was a problem hiding this comment.
This is the wrong link. You're talking about a header but linking to a flag.
index.html
Outdated
| header, which specifies the domains that are allowed to access the | ||
| timing information.</p> | ||
| <p>Statistical fingerprinting is a privacy concern where a | ||
| malicious web site may determine whether a user has visited a | ||
| third-party web site by measuring the timing of cache hits and | ||
| misses of resources in the third-party web site. Though the | ||
| <a>PerformanceResourceTiming</a> interface gives timing information | ||
| for resources in a document, the <a href= | ||
| "#sec-cross-origin-resources">cross-origin restrictions</a> prevent | ||
| for resources in a document, the <a data-cite="FETCH#">cross-origin restrictions</a> prevent |
index.html
Outdated
| <p class="note" data-dfn-for="PerformanceResourceTiming">As detailed in [=Fetch=], | ||
| cross-origin resources are included as <a>PerformanceResourceTiming</a> objects in the | ||
| <a data-cite="PERFORMANCE-TIMELINE-2#performance-timeline">Performance | ||
| Timeline</a>. If the <a href="FETCH#concept-tao-check">timing allow check</a> algorithm |
index.html
Outdated
| "FETCH#concept-response-timing-allow-passed"> | ||
| timing allow passed flag</a>.</li> | ||
| </ol> | ||
| <p>The <a>Timing-Allow-Origin</a> check is performed as part of |
There was a problem hiding this comment.
TAO is a header, not a check, so you may want to word this more precisely (the headers are processed in fetch to compute the attributes accordingly?)
index.html
Outdated
|
|
||
| <p>A <a>PerformanceResourceTiming</a> has an associated DOMstring |
| the header's value may come from the revalidation response, or if not present | ||
| there, from the original cached resource.</p> | ||
| </section> | ||
| <section id="sec-iana-considerations"> |
There was a problem hiding this comment.
Can you bring back the IANA considerations section?
| <ol> | ||
| <li>If the resource's <a>Request</a>'s | ||
| <a data-cite="Fetch#concept-request-destination">destination</a> equals to | ||
| "document", set <a>workerStart</a> to zero. |
There was a problem hiding this comment.
Can you open a Resource Timing issue on the fact that we need better tests here to verify the new behavior? (as well as reporting that as an implementation issues)
When response is a network error or body is fully read, finalize and report the response. Depends on whatwg/fetch#1185 See: w3c/resource-timing#261 and w3c/resource-timing#252
When response is a network error or body is fully read, finalize and report the response. Depends on whatwg/fetch#1185. Also see w3c/resource-timing#261 and w3c/resource-timing#252.
When response is a network error or body is fully read, finalize and report the response. Depends on whatwg/fetch#1185. Also see w3c/resource-timing#261 and w3c/resource-timing#252.
See whatwg/fetch#1185 and #252
Preview | Diff