Skip to content

Commit

Permalink
Server-Timing headers should be explicitly safelisted by CORS
Browse files Browse the repository at this point in the history 
... for access via fetch API.
Accessing them from resource/navigation timing is protected by TAO.

See whatwg/fetch#1511.
  • Loading branch information
@noamr
noamr authored Jan 3, 2023
1 parent 97bb0e6 commit 97518d5
Show file tree
Hide file tree
Showing 3 changed files with 16 additions and 0 deletions.
Binary file added server-timing/resources/blue_cors.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
2 changes: 2 additions & 0 deletions server-timing/resources/blue_cors.png.headers
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
Access-Control-Allow-Origin: *
Server-Timing: metric2; dur=2.1; desc=blue.png
14 changes: 14 additions & 0 deletions server-timing/server_timing_headers_not_visible_in_fetch.https.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
<!DOCTYPE html>
<head>
<meta charset='utf-8' />
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/common/get-host-info.sub.js"></script>
<script>
const {HTTPS_REMOTE_ORIGIN} = get_host_info()
promise_test(async t => {
const response = await fetch(`${HTTPS_REMOTE_ORIGIN}/server-timing/resources/blue_cors.png`, {mode: "cors"});
assert_equals(response.headers.has("server-timing"), false);
}, "Server-Timing headers should be explicitly allowed by CORS");
</script>
</head>

0 comments on commit 97518d5

Please sign in to comment.