Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Privacy and Security section should mention that a user agent may choose to not expose cross-origin PerformanceServerTiming entries even with TAO #89

Closed
achristensen07 opened this issue Aug 26, 2022 · 10 comments · Fixed by #90
Closed

Privacy and Security section should mention that a user agent may choose to not expose cross-origin PerformanceServerTiming entries even with TAO #89

achristensen07 opened this issue Aug 26, 2022 · 10 comments · Fixed by #90

Comments

@achristensen07
Copy link
Contributor

Concerns about using server timing for tracking have prevented us from enabling PerformanceServerTiming in WebKit. If we limited it to same-origin even when TAO headers may be present, that would help us enable it.
@achristensen07
Copy link
Contributor Author

(This is intended to be discussed at TPAC 2022)

@achristensen07 achristensen07 mentioned this issue Aug 27, 2022
Closed
@yoavweiss yoavweiss mentioned this issue Sep 5, 2022
Merged
@noamr
Copy link
Contributor

noamr commented Sep 8, 2022
edited

Can you clarify if you're considering CORS same origin (cross origin with a
CORS header etc) as same origin?
CORS resources can already pass as much tracking information as they want

@achristensen07
Copy link
Contributor Author

I'm not considering CORS same origin, though you are correct that CORS resources can already pass arbitrary information.

@achristensen07
Copy link
Contributor Author

achristensen07 commented Sep 13, 2022
edited

Motivating example from my slides at TPAC:
Many webpages look like this:

<img src='https://example1.com/img.png'/>
<script src='https://example2.com/analytics'/>

With server timing, example1.com can now send unique identifiers to example2.com without modifying any content

@yoavweiss
Copy link
Contributor

Thanks for the concrete example! This makes discussing this significantly easier!

So, we have example1.com which is already loading a passive resource (image) in the page and example2.com that's loading an active resource (script). You are worried that the passive resource would be able to pass information read by the active one.

Given that both example1.com and example2.com can modify their content in order to pass along the required information, isn't it possible for the script included by example2.com to load a CORS enabled image from example1.com, and then use the image's non-opaque contents to read e.g. unique identifiers? (even if CSP prevents other, easier types of fetches)

@achristensen07
Copy link
Contributor Author

It is indeed possible for example1.com to modify its content, but this is to increase the privacy when example1.com does not modify its content, which is quite common on the web.

@jeremyroman
Copy link

@achristensen07 IIUC the HTML resource's origin (which is the one you're concerned doesn't modify its content) is neither example1.com nor example2.com, but something cross-site to both, right?

@annevk annevk mentioned this issue Sep 26, 2022
Merged
3 tasks
@achristensen07
Copy link
Contributor Author

@jeremyroman You understand correctly.

@yoavweiss
Copy link
Contributor

This was discussed at TPAC, and there was agreement we can allow such UA liberties in the spec.

@achristensen07 - interesting in PRing something here?

@achristensen07
Copy link
Contributor Author

I can make a PR.

achristensen07 added a commit to achristensen07/server-timing that referenced this issue Jan 26, 2023
@achristensen07
Allow user agents to keep same-origin restrictions on PerformanceServ…
30c80c9 
…erTiming

even with the presence of TAO header fields.  This resolves
w3c#89
@achristensen07 achristensen07 mentioned this issue Jan 26, 2023
Merged
achristensen07 added a commit to achristensen07/server-timing that referenced this issue Jan 26, 2023
@achristensen07
Allow user agents to keep same-origin restrictions on PerformanceServ…
0df8040 
…erTiming

even with the presence of TAO header fields.  This resolves
w3c#89
achristensen07 added a commit to achristensen07/server-timing that referenced this issue Jan 26, 2023
@achristensen07
Allow user agents to keep same-origin restrictions on PerformanceServ…
ceda8f9 
…erTiming

even with the presence of TAO header fields.  This resolves
w3c#89
@dyladan dyladan mentioned this issue Jan 30, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@noamr @jeremyroman @yoavweiss @achristensen07