Web Performance WG Teleconference

27 Oct 2010

See also: IRC log


+1.650.248.aaaa, [Microsoft], +1.650.390.aabb, Plh, +1.650.691.aacc, AndersonQuach, NicJansma, TonyG, Zhiheng, Christian, plh


<scribe> scribe: AndersonQuach

list the agenda

Feedback on information disclosure issue w/ Navigation Timing: navigationStart, redirectStart, redirectEnd, unloadEventStart, unloadEventEnd, and redirectCount

AndersonQuach: feedback, not to be explicit about leaking information about the previous site.

TonyG: Similar findings, attacks can be constructed with today's means.
... What do we want to do?

NicJansma: Simpilest approach is to zero out fields, navigationStart, redirectStart, redirectEnd, unloadEventStart, unloadEventEnd.

TonyG: It's good to be consistent field. What about navigationStart as a start point?

<Christian> (once I dial the number)

Zhiheng: Question, does the privacy concern still apply in the case of no redirection from a different origin to the target origin?

TonyG: Sites doing before, setting time in a cookie on previous page, to get a full timeline on the subsequent page?
... navigationStart is less useful if we cannot collect it consistently.

Zhiheng: what about non-redirect case? unload phase is info disclosure. what about exposing navigationStart with no-redirection?

TonyG: if navigationStart goes away, fetchStart is the new earliest time.

NicJansma: We have seen navigationStart and fetchStart vary.

AndersonQuach: there is no info disclosure to have navigationStart as it is without the redirects.

NicJansma: Summary, in the case if on the same dest/target origin all attributes are there. In the case of no-redirect, navigationStart is there. If there is a redirect from the same origin we have all the attributes. If there is a redirect and different dest/target origin navigationStart, redirectStart|End, unloadStart|End and redirectCount is zero.
... new attribute in nav info to signal cross dest/target domain?

TonyG: maybe a special value, or the attributes are undef or access is denied.

NicJansma: site devs not expecting script errors or exceptions.

TonyG: it will be difficult to use.

NicJansma: They can differentiate with the differences between values in unload versus and redirect.

TonyG: Okay to be zeroed and the rest can be inferred.

Zhiheng: how to differentiate different cases?
... end-user perception and the latency for destination page?
... what about defining navigationStart as after the redirect phase as proposed in mail?

TonyG: what is the difference between navigationStart and fetchStart?
... i like having navigationStart closer to end-user perceived time.

NicJansma: yes, because the end-user perceived time is still valuable on same domain redirect and sub-sequent navigations.
... we would like to keep navigationStart as in IE and Chrome webkit implementation.

Christian: making navigationStart as the end-user time is the right thing to me.

Zhiheng: okay.
... I agree and update processing model.

topic Definition of same-origin, with respect to publicsuffix+1 and as it relates to navigations.

TonyG: Public suffix means TLD. +1 means domain.

Zhiheng: Correct.
... publicsuffix + 1, same schema, same port.

NicJansma: will google.com be considered the same as www.google.com.

Zhiheng: that is TLD.

AndersonQuach: HTML5 definition: http://www.w3.org/TR/html5/origin-0.html

<AndersonQuach_> NicJansma: definition for redirect being none same origin redirections.

<Zhiheng> http://www.w3.org/TR/html5/origin-0.html#origin-0

<AndersonQuach_> TonyG: there may be a definition in the HTML5 spec. we probably need to find it offline.

<AndersonQuach_> NicJansma: should be up to the site

<AndersonQuach_> Zhiheng: same origin policy does not include path.

<AndersonQuach_> NicJansma: we do not want to include the path.

<AndersonQuach_> AndersonQuach: what about sub-domains?

<AndersonQuach_> Zhiheng: only the TLD

<AndersonQuach_> TonyG: we need to do some research.

<AndersonQuach_> TonyG: capture in the spec that the redirect chain, and match up everything in the spec.

Behavior of window.performance when disabled.

<AndersonQuach_> AndersonQuach: recommend, if it's disabled must not provide the interface.

<AndersonQuach_> TonyG: agreed.

<AndersonQuach_> Zhiheng: sounds good.

<AndersonQuach_> Christian: concerned how the implementation of that could work.

<AndersonQuach_> Christian: easier to provide a null return or undef return.

<AndersonQuach_> AndersonQuach: let's go with null

Finalize interface names (See: http://lists.w3.org/Archives/Public/public-web-perf/2010Oct/0040.html)"

<AndersonQuach_> TonyG: Performance, PerformanceTiming, PerformanceNavigation and keep going with that scheme.

<AndersonQuach_> NicJansma: That sounds fine.

<AndersonQuach_> Zhiheng: that sounds good.

<AndersonQuach_> TonyG: s/NavigationTiming/PerformanceTiming/ s/NavigationInfo/PerformanceNavigation/

<AndersonQuach_> list the agenda

<Christian> me too

<AndersonQuach_> NicJansma: should not have sort order for NavigationTiming attributes, order can be messed up if extended.

<AndersonQuach_> TonyG: sentence, ordering is not normative.

<AndersonQuach_> NicJansma: spec says chronological order.

<Christian> I have to go

<AndersonQuach_> Summary

<AndersonQuach_> 1. The attributes navigationStart, redirectStart, redirectEnd, unloadEventStart, and unloadEventEnd will zero out in cross-origin navigations and non-same redirection chain. The rationale is that this is explicitly providing information about the previous domain previously not easily accessible and will enable site developers to glean information about end-users visiting their site.

<AndersonQuach_> 1 a. In scenarios where there are no redirection chain, navigationStart begins immediately after the prompt for unload, if the previous page and the current page are of the same origin or different origin.

<AndersonQuach_> 1 b. If the navigationStart and fetchStart are of the same origin and the redirect chain is of the same origin or no redirect chain, the site developer has all the attributes.

<AndersonQuach_> 1 c. If the navigationStart and fetchStart are of different origins and there is a redirection chain the following attributes are to be zero: navigationStart, redirectStart, redirectEnd, unloadEventStart, unloadEventEnd and redirectCount.

<AndersonQuach_> 2. The navigationStart attribute will capture the end-user perceived time and begin immediately before redirectStart in allowable cases.

<AndersonQuach_> 3. Currently we will use the origin definition as specified in HTML5 section 5.3 Origin. And specify navigation scenarios when involving different domains from the previous navigation to the target navigation and different domains in redirect chains.

<AndersonQuach_> 4. The ability to disable the interface needs to become a “May” level requirement. The behavior when the interface is disabled is a “Must” level requirement. The window.performance.timing and window.performance.navigation interface must be null when disabled

<AndersonQuach_> 5. The naming for the interfaces should have the Performance prefixes. The recommended changes are: s/NavigationTiming/PerformanceTiming/ s/NavigationInfo/PerformanceNavigation/ and subsequent interfaces for ResourceTiming and UserTiming will follow this convention.

<AndersonQuach_> 6. When enumerating the window.performance.timing attributes, there is no order implied. As developers may extend this interface and the order may change from site to site and user agent to user agent.

<AndersonQuach_> s/summary/topic: summary/

Summary of Action Items

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.135 (CVS log)
$Date: 2010/10/27 17:39:45 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.135  of Date: 2009/03/02 03:52:20  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

FAILED: s/summary/topic: summary/
Found Scribe: AndersonQuach
Inferring ScribeNick: AndersonQuach
Default Present: +1.650.248.aaaa, [Microsoft], +1.650.390.aabb, Plh, +1.650.691.aacc
Present: +1.650.248.aaaa [Microsoft] +1.650.390.aabb Plh +1.650.691.aacc AndersonQuach NicJansma TonyG Zhiheng Christian plh
Got date from IRC log name: 27 Oct 2010
Guessing minutes URL: http://www.w3.org/2010/10/27-webperf-minutes.html
People with action items: 

WARNING: Input appears to use implicit continuation lines.
You may need the "-implicitContinuations" option.

[End of scribe.perl diagnostic output]