New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can't determine whether there were no redirects or redirect failed timing allow check #73
Comments
Similar discussion in RT: w3c/resource-timing#42 I'm supportive of including an explicit "not allowed" signal as I see too many people struggle with it: |
Which, in itself, is a security precaution, right? Can you learn presence of a redirect via other means? |
I'll dig into this a bit more but some random thoughts… Unsure if referrer might give some hints in some situations (need to go re-read the spec) Longer than 'normal' fetchStarts might also hint at redirects but could also be due to slow unload handlers on another site (with TAO), queuing in browser etc. Even if a site owner adds a TAO header to pick up their own redirects they'll lose them if there's a third-party at the start of the chain e.g. http://bit.ly/2sHIF0Y > http://andydavies.me > https://andydavies.me If I want to do anything with redirects from a RUM PoV the only approach I can see at the moment is to ignore any where redirect count is zero but I've no way of telling how many positives I excluding |
In order to expose this data we need opt-in from the redirect origins. Exposing "failed" signal is, by itself, also leaking information that is otherwise not available. Closing, as this behavior is by design. Feel free to reopen if you disagree. :) |
When timing allow check fails redirectCount is explicitly set to zero (https://w3c.github.io/navigation-timing/#dom-performancenavigationtiming-redirectcount)
This makes it impossible to determine whether there were actually no redirects or just the information isn't available due to security restrictions.
Is it possible to have an explicit signal on when information like this isn't available due to security restrictions?
The text was updated successfully, but these errors were encountered: