New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Problematic cases with cross-origin iframes & aborted navigations #340
Comments
My instincts here are that we should treat the initial fetch as much as possible like any other resource. I don't think we should wait for the iframe's Assuming that You're right that that can expose some user behaviour... are there any other cases where the platforms allow a subresource request to be stopped by the user, that would expose similar timing info? |
But in this case it would be an aborted/terminated fetch, which would not become a RT entry. Only non-abort errors are reported. See abort a Document: all tasks queued from that fetch are to be discarded. And what about iframes without TAO? Perhaps a solution would be to report only IFrames with TAO (+ same-origin), and only the first navigation if it's completed, and report nothing for iframes without TAO.
AFAIK only iframes allow users autonomous interaction in a cross-origin context. |
I think if the user presses the stop button in the middle of a slow-loading cross-origin image load, then that image will get aborted? I'm not sure what event fires or what happens with resource timing in that case. |
According to spec there shouldn't be an RT entry. But in any case, stopping the load is an action in the embedding document, unlike an iframe abort due to internal navigation before body complete. |
So..what if we just do what the current spec expects? Like we don't expose the iframe request if it's aborted and if it doesn't, we expose it along with TAO checks. |
Then we expose that the abort happened, which exposes something about how the user interacted with a cross-origin iframe or about its content. |
A possible way forward that doesn't involve shutting down iframe reporting, a take on what @clelland had suggested:
|
This seems like a reasonable way forward, with minimal compat implications. I like it! |
An additional idea I had while on leave:
Pros:
Cons:
WDYT? @yoavweiss @clelland @nicjansma |
@clelland? Would love to see how this jives with the new frame-reporting thing. |
If I'm understanding the proposal(s) correctly, I think I'd prefer the Aug10 one which is to change the behavior of the RT entries vs. the Oct11 one which would remove XO-TAO-fail IFRAMEs from RT in favor of introducing the new entry type. If we continue to use RT entries none of the existing RUM scripts have to adjust their RT gathering logic (e.g. crawling frames, calling getEntriesByType or a PO w/ If we change to a new PerformanceSubframeTiming type, all RUM scripts would have to adjust or their "visibility" into the IFRAME existing will break. It seems reasonable to me to stop reporting of RT entries for IFRAMEs that abort, and for X-O IFRAMEs to be navigation to first load event. |
Isn't this a new timing channel? |
Yes, hence the proposals here to make navigation responseEnd TAO protected, and in the TAO-fail cases fall back to frame load time as the duration, which is already exposed. |
When encountering a cross-origin iframe without TAO, don't automatically report its fetch start/end times, as that might expose user interaction with the iframe (a cross-origin violation). Instead, report a fallback resource timing entry, with the navigation start time and the load event time of the iframe, which are already observable. (pending a Fetch PR) Closes w3c/resource-timing#340
… iframes Reporting the response end time for an iframe may leak information about user interaction with that iframe. See w3c/resource-timing#340
I drafted PRs to the HTML and fetch specs that implement this proposal |
… iframes Reporting the response end time for an iframe may leak information about user interaction with that iframe. See w3c/resource-timing#340
When encountering a cross-origin iframe without TAO, don't automatically report its fetch start/end times, as that might expose user interaction with the iframe (a cross-origin violation). Instead, report a fallback resource timing entry, with the navigation start time and the load event time of the iframe, which are already observable. Depends on whatwg/fetch#1579 Closes w3c/resource-timing#340
… iframes Reporting the response end time for an iframe may leak information about user interaction with that iframe. See w3c/resource-timing#340
This changes how frames, iframes & objects decide how to report their navigations as resource timing entries to their parent: - Any frame-initiated navigation (e.g. iframe.src change) is reported as an entry. This complies with current spec. - For nested navigations that fail Timing-Allow-Origin, we don't report the normal responseEnd - instead we report the load event time as the responseEnd, to prevent leakage of navigation-related cross-origin information (see w3c/resource-timing#340) This incidentally fixes other existing issues with nested navigations and resource timing, such as flaky tests and inconsistencies regarding restored iframes. Bug: 1404695 Bug: 1348080 Bug: 1290721 Bug: 1380078 Bug: 1378015 Bug: 957181 Spec changes: whatwg/html#8643 whatwg/fetch#1579 Change-Id: I010b026788193cc77a7de3f3d75304602f41fcd5
This changes how frames, iframes & objects decide how to report their navigations as resource timing entries to their parent: - Any frame-initiated navigation (e.g. iframe.src change) is reported as an entry. This complies with current spec. - For nested navigations that fail Timing-Allow-Origin, we don't report the normal responseEnd - instead we report the load event time as the responseEnd, to prevent leakage of navigation-related cross-origin information (see w3c/resource-timing#340) This incidentally fixes other existing issues with nested navigations and resource timing, such as flaky tests and inconsistencies regarding restored iframes. Bug: 1404695 Bug: 1348080 Bug: 1290721 Bug: 1380078 Bug: 1378015 Bug: 957181 Spec changes: whatwg/html#8643 whatwg/fetch#1579 Change-Id: I010b026788193cc77a7de3f3d75304602f41fcd5
This changes how frames, iframes & objects decide how to report their navigations as resource timing entries to their parent: - Any frame-initiated navigation (e.g. iframe.src change) is reported as an entry. This complies with current spec. - For nested navigations that fail Timing-Allow-Origin, we don't report the normal responseEnd - instead we report the load event time as the responseEnd, to prevent leakage of navigation-related cross-origin information (see w3c/resource-timing#340) This incidentally fixes other existing issues with nested navigations and resource timing, such as flaky tests and inconsistencies regarding restored iframes. Bug: 1404695 Bug: 1348080 Bug: 1290721 Bug: 1380078 Bug: 1378015 Bug: 957181 Spec changes: whatwg/html#8643 whatwg/fetch#1579 Change-Id: I010b026788193cc77a7de3f3d75304602f41fcd5
This changes how frames, iframes & objects decide how to report their navigations as resource timing entries to their parent: - Any frame-initiated navigation (e.g. iframe.src change) is reported as an entry. This complies with current spec. - For nested navigations that fail Timing-Allow-Origin, we don't report the normal responseEnd - instead we report the load event time as the responseEnd, to prevent leakage of navigation-related cross-origin information (see w3c/resource-timing#340) This incidentally fixes other existing issues with nested navigations and resource timing, such as flaky tests and inconsistencies regarding restored iframes. Bug: 1404695 Bug: 1348080 Bug: 1290721 Bug: 1380078 Bug: 1378015 Bug: 957181 Spec changes: whatwg/html#8643 whatwg/fetch#1579 Change-Id: I010b026788193cc77a7de3f3d75304602f41fcd5
This changes how frames, iframes & objects decide how to report their navigations as resource timing entries to their parent: - Any frame-initiated navigation (e.g. iframe.src change) is reported as an entry. This complies with current spec. - For nested navigations that fail Timing-Allow-Origin, we don't report the normal responseEnd - instead we report the load event time as the responseEnd, to prevent leakage of navigation-related cross-origin information (see w3c/resource-timing#340) This incidentally fixes other existing issues with nested navigations and resource timing, such as flaky tests and inconsistencies regarding restored iframes. Bug: 1404695 Bug: 1348080 Bug: 1290721 Bug: 1380078 Bug: 1378015 Bug: 957181 Spec changes: whatwg/html#8643 whatwg/fetch#1579 Change-Id: I010b026788193cc77a7de3f3d75304602f41fcd5 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4145963 Reviewed-by: Yoav Weiss <yoavweiss@chromium.org> Commit-Queue: Noam Rosenthal <nrosenthal@chromium.org> Cr-Commit-Position: refs/heads/main@{#1091970}
This changes how frames, iframes & objects decide how to report their navigations as resource timing entries to their parent: - Any frame-initiated navigation (e.g. iframe.src change) is reported as an entry. This complies with current spec. - For nested navigations that fail Timing-Allow-Origin, we don't report the normal responseEnd - instead we report the load event time as the responseEnd, to prevent leakage of navigation-related cross-origin information (see w3c/resource-timing#340) This incidentally fixes other existing issues with nested navigations and resource timing, such as flaky tests and inconsistencies regarding restored iframes. Bug: 1404695 Bug: 1348080 Bug: 1290721 Bug: 1380078 Bug: 1378015 Bug: 957181 Spec changes: whatwg/html#8643 whatwg/fetch#1579 Change-Id: I010b026788193cc77a7de3f3d75304602f41fcd5 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4145963 Reviewed-by: Yoav Weiss <yoavweiss@chromium.org> Commit-Queue: Noam Rosenthal <nrosenthal@chromium.org> Cr-Commit-Position: refs/heads/main@{#1091970}
…ing flow, a=testonly Automatic update from web-platform-tests Refactor nested-navigations resource-timing flow This changes how frames, iframes & objects decide how to report their navigations as resource timing entries to their parent: - Any frame-initiated navigation (e.g. iframe.src change) is reported as an entry. This complies with current spec. - For nested navigations that fail Timing-Allow-Origin, we don't report the normal responseEnd - instead we report the load event time as the responseEnd, to prevent leakage of navigation-related cross-origin information (see w3c/resource-timing#340) This incidentally fixes other existing issues with nested navigations and resource timing, such as flaky tests and inconsistencies regarding restored iframes. Bug: 1404695 Bug: 1348080 Bug: 1290721 Bug: 1380078 Bug: 1378015 Bug: 957181 Spec changes: whatwg/html#8643 whatwg/fetch#1579 Change-Id: I010b026788193cc77a7de3f3d75304602f41fcd5 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4145963 Reviewed-by: Yoav Weiss <yoavweiss@chromium.org> Commit-Queue: Noam Rosenthal <nrosenthal@chromium.org> Cr-Commit-Position: refs/heads/main@{#1091970} -- wpt-commits: 6cd6741bc20cd6b3ad9f95d19123b7850c696d79 wpt-pr: 37810
Chromium change: https://chromium.googlesource.com/chromium/src/+/48762ae06d8de05d3dc8ef727d04eaa223901786 commit 48762ae06d8de05d3dc8ef727d04eaa223901786 Author: Noam Rosenthal <nrosenthal@chromium.org> Date: Thu Jan 12 19:08:43 2023 +0000 Refactor nested-navigations resource-timing flow This changes how frames, iframes & objects decide how to report their navigations as resource timing entries to their parent: - Any frame-initiated navigation (e.g. iframe.src change) is reported as an entry. This complies with current spec. - For nested navigations that fail Timing-Allow-Origin, we don't report the normal responseEnd - instead we report the load event time as the responseEnd, to prevent leakage of navigation-related cross-origin information (see w3c/resource-timing#340) This incidentally fixes other existing issues with nested navigations and resource timing, such as flaky tests and inconsistencies regarding restored iframes. Bug: 1404695 Bug: 1348080 Bug: 1290721 Bug: 1380078 Bug: 1378015 Bug: 957181 Spec changes: whatwg/html#8643 whatwg/fetch#1579
Chromium change: https://chromium.googlesource.com/chromium/src/+/48762ae06d8de05d3dc8ef727d04eaa223901786 commit 48762ae06d8de05d3dc8ef727d04eaa223901786 Author: Noam Rosenthal <nrosenthal@chromium.org> Date: Thu Jan 12 19:08:43 2023 +0000 Refactor nested-navigations resource-timing flow This changes how frames, iframes & objects decide how to report their navigations as resource timing entries to their parent: - Any frame-initiated navigation (e.g. iframe.src change) is reported as an entry. This complies with current spec. - For nested navigations that fail Timing-Allow-Origin, we don't report the normal responseEnd - instead we report the load event time as the responseEnd, to prevent leakage of navigation-related cross-origin information (see w3c/resource-timing#340) This incidentally fixes other existing issues with nested navigations and resource timing, such as flaky tests and inconsistencies regarding restored iframes. Bug: 1404695 Bug: 1348080 Bug: 1290721 Bug: 1380078 Bug: 1378015 Bug: 957181 Spec changes: whatwg/html#8643 whatwg/fetch#1579
Chromium change: https://chromium.googlesource.com/chromium/src/+/48762ae06d8de05d3dc8ef727d04eaa223901786 commit 48762ae06d8de05d3dc8ef727d04eaa223901786 Author: Noam Rosenthal <nrosenthal@chromium.org> Date: Thu Jan 12 19:08:43 2023 +0000 Refactor nested-navigations resource-timing flow This changes how frames, iframes & objects decide how to report their navigations as resource timing entries to their parent: - Any frame-initiated navigation (e.g. iframe.src change) is reported as an entry. This complies with current spec. - For nested navigations that fail Timing-Allow-Origin, we don't report the normal responseEnd - instead we report the load event time as the responseEnd, to prevent leakage of navigation-related cross-origin information (see w3c/resource-timing#340) This incidentally fixes other existing issues with nested navigations and resource timing, such as flaky tests and inconsistencies regarding restored iframes. Bug: 1404695 Bug: 1348080 Bug: 1290721 Bug: 1380078 Bug: 1378015 Bug: 957181 Spec changes: whatwg/html#8643 whatwg/fetch#1579
Chromium change: https://chromium.googlesource.com/chromium/src/+/48762ae06d8de05d3dc8ef727d04eaa223901786 commit 48762ae06d8de05d3dc8ef727d04eaa223901786 Author: Noam Rosenthal <nrosenthal@chromium.org> Date: Thu Jan 12 19:08:43 2023 +0000 Refactor nested-navigations resource-timing flow This changes how frames, iframes & objects decide how to report their navigations as resource timing entries to their parent: - Any frame-initiated navigation (e.g. iframe.src change) is reported as an entry. This complies with current spec. - For nested navigations that fail Timing-Allow-Origin, we don't report the normal responseEnd - instead we report the load event time as the responseEnd, to prevent leakage of navigation-related cross-origin information (see w3c/resource-timing#340) This incidentally fixes other existing issues with nested navigations and resource timing, such as flaky tests and inconsistencies regarding restored iframes. Bug: 1404695 Bug: 1348080 Bug: 1290721 Bug: 1380078 Bug: 1378015 Bug: 957181 Spec changes: whatwg/html#8643 whatwg/fetch#1579
When encountering a cross-origin iframe without TAO, don't automatically report its fetch start/end times, as that might expose user interaction with the iframe (a cross-origin violation). Instead, report a fallback resource timing entry, with the navigation start time and the load event time of the iframe, which are already observable. Depends on whatwg/fetch#1579 Closes w3c/resource-timing#340
When encountering a cross-origin iframe without TAO, don't automatically report its fetch start/end times, as that might expose user interaction with the iframe (a cross-origin violation). Instead, report a fallback resource timing entry, with the navigation start time and the load event time of the iframe, which are already observable. Depends on whatwg/fetch#1579 Closes w3c/resource-timing#340
Chromium change: https://chromium.googlesource.com/chromium/src/+/48762ae06d8de05d3dc8ef727d04eaa223901786 commit 48762ae06d8de05d3dc8ef727d04eaa223901786 Author: Noam Rosenthal <nrosenthal@chromium.org> Date: Thu Jan 12 19:08:43 2023 +0000 Refactor nested-navigations resource-timing flow This changes how frames, iframes & objects decide how to report their navigations as resource timing entries to their parent: - Any frame-initiated navigation (e.g. iframe.src change) is reported as an entry. This complies with current spec. - For nested navigations that fail Timing-Allow-Origin, we don't report the normal responseEnd - instead we report the load event time as the responseEnd, to prevent leakage of navigation-related cross-origin information (see w3c/resource-timing#340) This incidentally fixes other existing issues with nested navigations and resource timing, such as flaky tests and inconsistencies regarding restored iframes. Bug: 1404695 Bug: 1348080 Bug: 1290721 Bug: 1380078 Bug: 1378015 Bug: 957181 Spec changes: whatwg/html#8643 whatwg/fetch#1579
Chromium change: https://chromium.googlesource.com/chromium/src/+/48762ae06d8de05d3dc8ef727d04eaa223901786 commit 48762ae06d8de05d3dc8ef727d04eaa223901786 Author: Noam Rosenthal <nrosenthal@chromium.org> Date: Thu Jan 12 19:08:43 2023 +0000 Refactor nested-navigations resource-timing flow This changes how frames, iframes & objects decide how to report their navigations as resource timing entries to their parent: - Any frame-initiated navigation (e.g. iframe.src change) is reported as an entry. This complies with current spec. - For nested navigations that fail Timing-Allow-Origin, we don't report the normal responseEnd - instead we report the load event time as the responseEnd, to prevent leakage of navigation-related cross-origin information (see w3c/resource-timing#340) This incidentally fixes other existing issues with nested navigations and resource timing, such as flaky tests and inconsistencies regarding restored iframes. Bug: 1404695 Bug: 1348080 Bug: 1290721 Bug: 1380078 Bug: 1378015 Bug: 957181 Spec changes: whatwg/html#8643 whatwg/fetch#1579
Chromium change: https://chromium.googlesource.com/chromium/src/+/48762ae06d8de05d3dc8ef727d04eaa223901786 commit 48762ae06d8de05d3dc8ef727d04eaa223901786 Author: Noam Rosenthal <nrosenthal@chromium.org> Date: Thu Jan 12 19:08:43 2023 +0000 Refactor nested-navigations resource-timing flow This changes how frames, iframes & objects decide how to report their navigations as resource timing entries to their parent: - Any frame-initiated navigation (e.g. iframe.src change) is reported as an entry. This complies with current spec. - For nested navigations that fail Timing-Allow-Origin, we don't report the normal responseEnd - instead we report the load event time as the responseEnd, to prevent leakage of navigation-related cross-origin information (see w3c/resource-timing#340) This incidentally fixes other existing issues with nested navigations and resource timing, such as flaky tests and inconsistencies regarding restored iframes. Bug: 1404695 Bug: 1348080 Bug: 1290721 Bug: 1380078 Bug: 1378015 Bug: 957181 Spec changes: whatwg/html#8643 whatwg/fetch#1579
Chromium change: https://chromium.googlesource.com/chromium/src/+/48762ae06d8de05d3dc8ef727d04eaa223901786 commit 48762ae06d8de05d3dc8ef727d04eaa223901786 Author: Noam Rosenthal <nrosenthal@chromium.org> Date: Thu Jan 12 19:08:43 2023 +0000 Refactor nested-navigations resource-timing flow This changes how frames, iframes & objects decide how to report their navigations as resource timing entries to their parent: - Any frame-initiated navigation (e.g. iframe.src change) is reported as an entry. This complies with current spec. - For nested navigations that fail Timing-Allow-Origin, we don't report the normal responseEnd - instead we report the load event time as the responseEnd, to prevent leakage of navigation-related cross-origin information (see w3c/resource-timing#340) This incidentally fixes other existing issues with nested navigations and resource timing, such as flaky tests and inconsistencies regarding restored iframes. Bug: 1404695 Bug: 1348080 Bug: 1290721 Bug: 1380078 Bug: 1378015 Bug: 957181 Spec changes: whatwg/html#8643 whatwg/fetch#1579
Chromium change: https://chromium.googlesource.com/chromium/src/+/48762ae06d8de05d3dc8ef727d04eaa223901786 commit 48762ae06d8de05d3dc8ef727d04eaa223901786 Author: Noam Rosenthal <nrosenthal@chromium.org> Date: Thu Jan 12 19:08:43 2023 +0000 Refactor nested-navigations resource-timing flow This changes how frames, iframes & objects decide how to report their navigations as resource timing entries to their parent: - Any frame-initiated navigation (e.g. iframe.src change) is reported as an entry. This complies with current spec. - For nested navigations that fail Timing-Allow-Origin, we don't report the normal responseEnd - instead we report the load event time as the responseEnd, to prevent leakage of navigation-related cross-origin information (see w3c/resource-timing#340) This incidentally fixes other existing issues with nested navigations and resource timing, such as flaky tests and inconsistencies regarding restored iframes. Bug: 1404695 Bug: 1348080 Bug: 1290721 Bug: 1380078 Bug: 1378015 Bug: 957181 Spec changes: whatwg/html#8643 whatwg/fetch#1579
Chromium change: https://chromium.googlesource.com/chromium/src/+/48762ae06d8de05d3dc8ef727d04eaa223901786 commit 48762ae06d8de05d3dc8ef727d04eaa223901786 Author: Noam Rosenthal <nrosenthal@chromium.org> Date: Thu Jan 12 19:08:43 2023 +0000 Refactor nested-navigations resource-timing flow This changes how frames, iframes & objects decide how to report their navigations as resource timing entries to their parent: - Any frame-initiated navigation (e.g. iframe.src change) is reported as an entry. This complies with current spec. - For nested navigations that fail Timing-Allow-Origin, we don't report the normal responseEnd - instead we report the load event time as the responseEnd, to prevent leakage of navigation-related cross-origin information (see w3c/resource-timing#340) This incidentally fixes other existing issues with nested navigations and resource timing, such as flaky tests and inconsistencies regarding restored iframes. Bug: 1404695 Bug: 1348080 Bug: 1290721 Bug: 1380078 Bug: 1378015 Bug: 957181 Spec changes: whatwg/html#8643 whatwg/fetch#1579
Chromium change: https://chromium.googlesource.com/chromium/src/+/48762ae06d8de05d3dc8ef727d04eaa223901786 commit 48762ae06d8de05d3dc8ef727d04eaa223901786 Author: Noam Rosenthal <nrosenthal@chromium.org> Date: Thu Jan 12 19:08:43 2023 +0000 Refactor nested-navigations resource-timing flow This changes how frames, iframes & objects decide how to report their navigations as resource timing entries to their parent: - Any frame-initiated navigation (e.g. iframe.src change) is reported as an entry. This complies with current spec. - For nested navigations that fail Timing-Allow-Origin, we don't report the normal responseEnd - instead we report the load event time as the responseEnd, to prevent leakage of navigation-related cross-origin information (see w3c/resource-timing#340) This incidentally fixes other existing issues with nested navigations and resource timing, such as flaky tests and inconsistencies regarding restored iframes. Bug: 1404695 Bug: 1348080 Bug: 1290721 Bug: 1380078 Bug: 1378015 Bug: 957181 Spec changes: whatwg/html#8643 whatwg/fetch#1579
Chromium change: https://chromium.googlesource.com/chromium/src/+/48762ae06d8de05d3dc8ef727d04eaa223901786 commit 48762ae06d8de05d3dc8ef727d04eaa223901786 Author: Noam Rosenthal <nrosenthal@chromium.org> Date: Thu Jan 12 19:08:43 2023 +0000 Refactor nested-navigations resource-timing flow This changes how frames, iframes & objects decide how to report their navigations as resource timing entries to their parent: - Any frame-initiated navigation (e.g. iframe.src change) is reported as an entry. This complies with current spec. - For nested navigations that fail Timing-Allow-Origin, we don't report the normal responseEnd - instead we report the load event time as the responseEnd, to prevent leakage of navigation-related cross-origin information (see w3c/resource-timing#340) This incidentally fixes other existing issues with nested navigations and resource timing, such as flaky tests and inconsistencies regarding restored iframes. Bug: 1404695 Bug: 1348080 Bug: 1290721 Bug: 1380078 Bug: 1378015 Bug: 957181 Spec changes: whatwg/html#8643 whatwg/fetch#1579
Chromium change: https://chromium.googlesource.com/chromium/src/+/48762ae06d8de05d3dc8ef727d04eaa223901786 commit 48762ae06d8de05d3dc8ef727d04eaa223901786 Author: Noam Rosenthal <nrosenthal@chromium.org> Date: Thu Jan 12 19:08:43 2023 +0000 Refactor nested-navigations resource-timing flow This changes how frames, iframes & objects decide how to report their navigations as resource timing entries to their parent: - Any frame-initiated navigation (e.g. iframe.src change) is reported as an entry. This complies with current spec. - For nested navigations that fail Timing-Allow-Origin, we don't report the normal responseEnd - instead we report the load event time as the responseEnd, to prevent leakage of navigation-related cross-origin information (see w3c/resource-timing#340) This incidentally fixes other existing issues with nested navigations and resource timing, such as flaky tests and inconsistencies regarding restored iframes. Bug: 1404695 Bug: 1348080 Bug: 1290721 Bug: 1380078 Bug: 1378015 Bug: 957181 Spec changes: whatwg/html#8643 whatwg/fetch#1579
Chromium change: https://chromium.googlesource.com/chromium/src/+/48762ae06d8de05d3dc8ef727d04eaa223901786 commit 48762ae06d8de05d3dc8ef727d04eaa223901786 Author: Noam Rosenthal <nrosenthal@chromium.org> Date: Thu Jan 12 19:08:43 2023 +0000 Refactor nested-navigations resource-timing flow This changes how frames, iframes & objects decide how to report their navigations as resource timing entries to their parent: - Any frame-initiated navigation (e.g. iframe.src change) is reported as an entry. This complies with current spec. - For nested navigations that fail Timing-Allow-Origin, we don't report the normal responseEnd - instead we report the load event time as the responseEnd, to prevent leakage of navigation-related cross-origin information (see w3c/resource-timing#340) This incidentally fixes other existing issues with nested navigations and resource timing, such as flaky tests and inconsistencies regarding restored iframes. Bug: 1404695 Bug: 1348080 Bug: 1290721 Bug: 1380078 Bug: 1378015 Bug: 957181 Spec changes: whatwg/html#8643 whatwg/fetch#1579
Chromium change: https://chromium.googlesource.com/chromium/src/+/48762ae06d8de05d3dc8ef727d04eaa223901786 commit 48762ae06d8de05d3dc8ef727d04eaa223901786 Author: Noam Rosenthal <nrosenthal@chromium.org> Date: Thu Jan 12 19:08:43 2023 +0000 Refactor nested-navigations resource-timing flow This changes how frames, iframes & objects decide how to report their navigations as resource timing entries to their parent: - Any frame-initiated navigation (e.g. iframe.src change) is reported as an entry. This complies with current spec. - For nested navigations that fail Timing-Allow-Origin, we don't report the normal responseEnd - instead we report the load event time as the responseEnd, to prevent leakage of navigation-related cross-origin information (see w3c/resource-timing#340) This incidentally fixes other existing issues with nested navigations and resource timing, such as flaky tests and inconsistencies regarding restored iframes. Bug: 1404695 Bug: 1348080 Bug: 1290721 Bug: 1380078 Bug: 1378015 Bug: 957181 Spec changes: whatwg/html#8643 whatwg/fetch#1579
Chromium change: https://chromium.googlesource.com/chromium/src/+/48762ae06d8de05d3dc8ef727d04eaa223901786 commit 48762ae06d8de05d3dc8ef727d04eaa223901786 Author: Noam Rosenthal <nrosenthal@chromium.org> Date: Thu Jan 12 19:08:43 2023 +0000 Refactor nested-navigations resource-timing flow This changes how frames, iframes & objects decide how to report their navigations as resource timing entries to their parent: - Any frame-initiated navigation (e.g. iframe.src change) is reported as an entry. This complies with current spec. - For nested navigations that fail Timing-Allow-Origin, we don't report the normal responseEnd - instead we report the load event time as the responseEnd, to prevent leakage of navigation-related cross-origin information (see w3c/resource-timing#340) This incidentally fixes other existing issues with nested navigations and resource timing, such as flaky tests and inconsistencies regarding restored iframes. Bug: 1404695 Bug: 1348080 Bug: 1290721 Bug: 1380078 Bug: 1378015 Bug: 957181 Spec changes: whatwg/html#8643 whatwg/fetch#1579
Chromium change: https://chromium.googlesource.com/chromium/src/+/48762ae06d8de05d3dc8ef727d04eaa223901786 commit 48762ae06d8de05d3dc8ef727d04eaa223901786 Author: Noam Rosenthal <nrosenthal@chromium.org> Date: Thu Jan 12 19:08:43 2023 +0000 Refactor nested-navigations resource-timing flow This changes how frames, iframes & objects decide how to report their navigations as resource timing entries to their parent: - Any frame-initiated navigation (e.g. iframe.src change) is reported as an entry. This complies with current spec. - For nested navigations that fail Timing-Allow-Origin, we don't report the normal responseEnd - instead we report the load event time as the responseEnd, to prevent leakage of navigation-related cross-origin information (see w3c/resource-timing#340) This incidentally fixes other existing issues with nested navigations and resource timing, such as flaky tests and inconsistencies regarding restored iframes. Bug: 1404695 Bug: 1348080 Bug: 1290721 Bug: 1380078 Bug: 1378015 Bug: 957181 Spec changes: whatwg/html#8643 whatwg/fetch#1579
Chromium change: https://chromium.googlesource.com/chromium/src/+/48762ae06d8de05d3dc8ef727d04eaa223901786 commit 48762ae06d8de05d3dc8ef727d04eaa223901786 Author: Noam Rosenthal <nrosenthal@chromium.org> Date: Thu Jan 12 19:08:43 2023 +0000 Refactor nested-navigations resource-timing flow This changes how frames, iframes & objects decide how to report their navigations as resource timing entries to their parent: - Any frame-initiated navigation (e.g. iframe.src change) is reported as an entry. This complies with current spec. - For nested navigations that fail Timing-Allow-Origin, we don't report the normal responseEnd - instead we report the load event time as the responseEnd, to prevent leakage of navigation-related cross-origin information (see w3c/resource-timing#340) This incidentally fixes other existing issues with nested navigations and resource timing, such as flaky tests and inconsistencies regarding restored iframes. Bug: 1404695 Bug: 1348080 Bug: 1290721 Bug: 1380078 Bug: 1378015 Bug: 957181 Spec changes: whatwg/html#8643 whatwg/fetch#1579
Chromium change: https://chromium.googlesource.com/chromium/src/+/48762ae06d8de05d3dc8ef727d04eaa223901786 commit 48762ae06d8de05d3dc8ef727d04eaa223901786 Author: Noam Rosenthal <nrosenthal@chromium.org> Date: Thu Jan 12 19:08:43 2023 +0000 Refactor nested-navigations resource-timing flow This changes how frames, iframes & objects decide how to report their navigations as resource timing entries to their parent: - Any frame-initiated navigation (e.g. iframe.src change) is reported as an entry. This complies with current spec. - For nested navigations that fail Timing-Allow-Origin, we don't report the normal responseEnd - instead we report the load event time as the responseEnd, to prevent leakage of navigation-related cross-origin information (see w3c/resource-timing#340) This incidentally fixes other existing issues with nested navigations and resource timing, such as flaky tests and inconsistencies regarding restored iframes. Bug: 1404695 Bug: 1348080 Bug: 1290721 Bug: 1380078 Bug: 1378015 Bug: 957181 Spec changes: whatwg/html#8643 whatwg/fetch#1579
Chromium change: https://chromium.googlesource.com/chromium/src/+/48762ae06d8de05d3dc8ef727d04eaa223901786 commit 48762ae06d8de05d3dc8ef727d04eaa223901786 Author: Noam Rosenthal <nrosenthal@chromium.org> Date: Thu Jan 12 19:08:43 2023 +0000 Refactor nested-navigations resource-timing flow This changes how frames, iframes & objects decide how to report their navigations as resource timing entries to their parent: - Any frame-initiated navigation (e.g. iframe.src change) is reported as an entry. This complies with current spec. - For nested navigations that fail Timing-Allow-Origin, we don't report the normal responseEnd - instead we report the load event time as the responseEnd, to prevent leakage of navigation-related cross-origin information (see w3c/resource-timing#340) This incidentally fixes other existing issues with nested navigations and resource timing, such as flaky tests and inconsistencies regarding restored iframes. Bug: 1404695 Bug: 1348080 Bug: 1290721 Bug: 1380078 Bug: 1378015 Bug: 957181 Spec changes: whatwg/html#8643 whatwg/fetch#1579
Chromium change: https://chromium.googlesource.com/chromium/src/+/48762ae06d8de05d3dc8ef727d04eaa223901786 commit 48762ae06d8de05d3dc8ef727d04eaa223901786 Author: Noam Rosenthal <nrosenthal@chromium.org> Date: Thu Jan 12 19:08:43 2023 +0000 Refactor nested-navigations resource-timing flow This changes how frames, iframes & objects decide how to report their navigations as resource timing entries to their parent: - Any frame-initiated navigation (e.g. iframe.src change) is reported as an entry. This complies with current spec. - For nested navigations that fail Timing-Allow-Origin, we don't report the normal responseEnd - instead we report the load event time as the responseEnd, to prevent leakage of navigation-related cross-origin information (see w3c/resource-timing#340) This incidentally fixes other existing issues with nested navigations and resource timing, such as flaky tests and inconsistencies regarding restored iframes. Bug: 1404695 Bug: 1348080 Bug: 1290721 Bug: 1380078 Bug: 1378015 Bug: 957181 Spec changes: whatwg/html#8643 whatwg/fetch#1579
Chromium change: https://chromium.googlesource.com/chromium/src/+/48762ae06d8de05d3dc8ef727d04eaa223901786 commit 48762ae06d8de05d3dc8ef727d04eaa223901786 Author: Noam Rosenthal <nrosenthal@chromium.org> Date: Thu Jan 12 19:08:43 2023 +0000 Refactor nested-navigations resource-timing flow This changes how frames, iframes & objects decide how to report their navigations as resource timing entries to their parent: - Any frame-initiated navigation (e.g. iframe.src change) is reported as an entry. This complies with current spec. - For nested navigations that fail Timing-Allow-Origin, we don't report the normal responseEnd - instead we report the load event time as the responseEnd, to prevent leakage of navigation-related cross-origin information (see w3c/resource-timing#340) This incidentally fixes other existing issues with nested navigations and resource timing, such as flaky tests and inconsistencies regarding restored iframes. Bug: 1404695 Bug: 1348080 Bug: 1290721 Bug: 1380078 Bug: 1378015 Bug: 957181 Spec changes: whatwg/html#8643 whatwg/fetch#1579
Chromium change: https://chromium.googlesource.com/chromium/src/+/48762ae06d8de05d3dc8ef727d04eaa223901786 commit 48762ae06d8de05d3dc8ef727d04eaa223901786 Author: Noam Rosenthal <nrosenthal@chromium.org> Date: Thu Jan 12 19:08:43 2023 +0000 Refactor nested-navigations resource-timing flow This changes how frames, iframes & objects decide how to report their navigations as resource timing entries to their parent: - Any frame-initiated navigation (e.g. iframe.src change) is reported as an entry. This complies with current spec. - For nested navigations that fail Timing-Allow-Origin, we don't report the normal responseEnd - instead we report the load event time as the responseEnd, to prevent leakage of navigation-related cross-origin information (see w3c/resource-timing#340) This incidentally fixes other existing issues with nested navigations and resource timing, such as flaky tests and inconsistencies regarding restored iframes. Bug: 1404695 Bug: 1348080 Bug: 1290721 Bug: 1380078 Bug: 1378015 Bug: 957181 Spec changes: whatwg/html#8643 whatwg/fetch#1579
Chromium change: https://chromium.googlesource.com/chromium/src/+/48762ae06d8de05d3dc8ef727d04eaa223901786 commit 48762ae06d8de05d3dc8ef727d04eaa223901786 Author: Noam Rosenthal <nrosenthal@chromium.org> Date: Thu Jan 12 19:08:43 2023 +0000 Refactor nested-navigations resource-timing flow This changes how frames, iframes & objects decide how to report their navigations as resource timing entries to their parent: - Any frame-initiated navigation (e.g. iframe.src change) is reported as an entry. This complies with current spec. - For nested navigations that fail Timing-Allow-Origin, we don't report the normal responseEnd - instead we report the load event time as the responseEnd, to prevent leakage of navigation-related cross-origin information (see w3c/resource-timing#340) This incidentally fixes other existing issues with nested navigations and resource timing, such as flaky tests and inconsistencies regarding restored iframes. Bug: 1404695 Bug: 1348080 Bug: 1290721 Bug: 1380078 Bug: 1378015 Bug: 957181 Spec changes: whatwg/html#8643 whatwg/fetch#1579
Chromium change: https://chromium.googlesource.com/chromium/src/+/48762ae06d8de05d3dc8ef727d04eaa223901786 commit 48762ae06d8de05d3dc8ef727d04eaa223901786 Author: Noam Rosenthal <nrosenthal@chromium.org> Date: Thu Jan 12 19:08:43 2023 +0000 Refactor nested-navigations resource-timing flow This changes how frames, iframes & objects decide how to report their navigations as resource timing entries to their parent: - Any frame-initiated navigation (e.g. iframe.src change) is reported as an entry. This complies with current spec. - For nested navigations that fail Timing-Allow-Origin, we don't report the normal responseEnd - instead we report the load event time as the responseEnd, to prevent leakage of navigation-related cross-origin information (see w3c/resource-timing#340) This incidentally fixes other existing issues with nested navigations and resource timing, such as flaky tests and inconsistencies regarding restored iframes. Bug: 1404695 Bug: 1348080 Bug: 1290721 Bug: 1380078 Bug: 1378015 Bug: 957181 Spec changes: whatwg/html#8643 whatwg/fetch#1579
When encountering a cross-origin iframe without Timing-Allow-Origin, don't automatically report its fetch start/end times, as that might expose user interaction with the iframe (a cross-origin violation). Instead, report a fallback resource timing entry, with the navigation start time and the load event time of the iframe, which are already observable. Closes w3c/resource-timing#340.
In most cases a single RT entry corresponds to a single completed fetch (successful or non-aborted network error).
However, in the case of iframes this is a bit murky, especially when the iframes are cross-origin.
Imagine the following scenario (as represented in this test):
embedder.com
embedscrossorigin.com/iframe.html
iframe.html
's body fully loads, it navigates away toother.com/other-iframe.html
- either by user interaction or by e.g.location.href
setting in the head. (there are many ways in which this can happen)other.com/other-iframe.html
Currently the resource timing entry (at least in chrome & Safari) would be of
crossorigin.com
, representing whatever state the response was when it was aborted. The entry would only be reported when the body ofother.com
is complete. According to spec perhaps it shouldn't be reported at all since it's an aborted fetch.Both cases could lead to confusion and would be a cross-origin violation.
embedder.com
is not supposed to know that the iframe has aborted and navigated to somewhere else, and both not reporting it at all or reporting the first navigation only would expose that.One way to solve it is to align the timing with the timing of the iframe's load event, but that would be misleading - the time between navigating the iframe and the iframe's load event could be multiple fetches plus Javascript execution in the middle. Also, if we do this only for cross-origin iframes, they would diverge from what those timing values mean for same-origin iframes.
My proposal is to not report iframe navigation to resource timing at all, and to rely on navigation timing alone for this, letting the iframe explicitly send it information to the parent with
postMessage
if it so wishes. But I'm not sure the impact on current users of these APIs etc, so would love to hear thoughts.The text was updated successfully, but these errors were encountered: