Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide clear guidelines for what Timing-Allow-Origin should expose #664

Open
noamr opened this issue Jan 2, 2025 · 7 comments
Open

Provide clear guidelines for what Timing-Allow-Origin should expose #664

noamr opened this issue Jan 2, 2025 · 7 comments

Comments

@noamr
Copy link

noamr commented Jan 2, 2025

Timing-Allow-Origin (defined in the fetch spec) is a header that signals the user agent that particular timing-related characteristics of fetching a resource should be visible to the requesting origin, irrespective of whether it was requested via CORS.

Since its inception, several new additions were proposed to resource timing, and more often than not it was unclear whether this opt-in is a sufficient signal that it's OK to expose this particular bit of information.

Those so far include exposing content-type, the status code, and content-encoding (see w3c/resource-timing#411 and whatwg/fetch#1796 for the latter).

With each of these, and potentially with future additions in mind, we would like to have a clear general guidelines of what is "OK" to expose for cross-origin resources that are served with the appropriate Timing-Allow-Origin header, what requires CORS, and what has to be same-origin.

There are roughly three ways to go about it (from conservative to relaxed)

  1. We don't add more things that Timing-Allow-Origin can expose, as to not overload new meanings on old opt-ins.
  2. Timing-Allow-Origin can expose only values that are specifically timing values, as in durations and timestamps.
  3. Timing-Allow-Origin can expose anything that is information about the fetch, but is not information about the resource itself. i.e., if the response was cached and retrieved in a service worker you'd get a different result.

Would love to have some collective thoughts about it and reach a guideline before we ship anything new in resource timing.

/cc @yoavweiss @annevk @achristensen07 @camillelamy @arturjanc @ddworken
@annevk
Copy link
Member

annevk commented Jan 6, 2025

I think 3 is okay, but note that would make Content-Type and Content-Encoding not okay.

@noamr
Copy link
Author

noamr commented Jan 6, 2025

I think 3 is okay, but note that would make Content-Type and Content-Encoding not okay.

For content-type, sure. For content-encoding, gzip etc is resolved in the network fetch and the service-worker saved response shouldn't keep that content encoding (though might still have the header).

@annevk
Copy link
Member

annevk commented Jan 6, 2025

It is handled by fetch internally (and at the moment you cannot configure yourself out of that), but it is very much a property of the resource.

@arturjanc
Copy link
Contributor

A while ago we talked about something similar in the context of the Cross-Origin-Resource-Policy header in the Notes on the threat model of cross-origin isolation doc (specifically, the Subresources discussion and the summary).

My simplified mental model of what we landed on is that setting CORP (or, specifically setting CORP cross-origin) can implicitly expose metadata of resource loaded in no-cors mode (say, the Content-Type, or dimensions for images), but not the data (e.g. it shouldn't tell the embedder anything about the contents of the resource itself - that should require CORS).

Extending this logic to TAO, I think it would make sense for it to give access to information related to loading of the resource (e.g. timestamps/durations and potentially cache status), but not the metadata of the resource (such as Content-Type, status code, etc). This seems similar to @annevk's conclusion above, except that I'm less sure about not exposing Content-Encoding because it's not clearly metadata intrinsic to the resource itself and could be seen as information about the fetch of the resource.

OTOH it would a bit strange if Timing-Allow-Origin exposed non-timing information about the resource - this could be a footgun from a security perspective. So I think I land on something between options 2 and 3 above.

@noamr
Copy link
Author

noamr commented Jan 6, 2025

Note that TAO already exposes non-timing information about the resource, e.g. nextHopProtocol. However, the fact that we're doing this doesn't mean that we should keep doing it.

@annevk Regarding content-encoding: I see it as 100% something that's to do with the fetch and not the resource. A JSON file or a font has the same content and metadata whether it's downloaded via a gzip stream or a brotli stream or directly. For the browser it's the same resource and content-encoding is a detail relating to how to resource was acquired and not about the resource itself. So I think that saying that content-encoding should be CORS-protected and not TAO-protected is essentially going with (2) rather than with (3) (which I'm fine with).

@annevk
Copy link
Member

annevk commented Jan 6, 2025

Pretty sure all Content-* headers are about the resource. In any event, if 2 is also limited to the a fetch, then yes, I guess I'd argue for that.

@noamr
Copy link
Author

noamr commented Jan 6, 2025

Pretty sure all Content-* headers are about the resource. In any event, if 2 is also limited to the a fetch, then yes, I guess I'd argue for that.

Yea, (2) is a subset of (3). It's limited to the fetch, and within that only to things that are particularly related to timing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@noamr @arturjanc @annevk