W3C

- DRAFT -

Web Performance Working Group Teleconference

19 Oct 2011

See also: IRC log

Attendees

Present
Plh, [Microsoft], +1.650.253.aaaa, Jatinder, Arvind, Alois, Philippe, JamesS, TonyG, Karen
Regrets
Chair
SV_MEETING_CHAIR
Scribe
JatinderMann

Contents

<plh> trackbot-ng, start telcon

<trackbot> Date: 19 October 2011

trackbot, start teleconf

<trackbot> Meeting: Web Performance Working Group Teleconference

<trackbot> Date: 19 October 2011

Arvind: FYI, Andriod has started to implement NavigationTiming.

Jatinder: IE9 on Mango also supports Navigation Timing.

Timing Spec Updates

Jatinder: I have gone ahead and made spec updates to comply with ACTION-52, 53, and 54. Please go ahead and review the changes.
... I have also updated test_timing_xserver_redirect.html to change the document.location.host to documentation.location.hostname. This fixes the issues on all browsers. Please do review.

Resource Timing Security/Privacy Review

Tony: The discussion with the public-web-security mailing list is given here: http://lists.w3.org/Archives/Public/public-web-security/2011Oct/0019.html

Jatinder: Based on cache hits and misses, malicious entities can determine with strong certainty when a resource is from a third party site. Based on our currenty third party restrictions, we don't give any additional information than what can already be determined today.

Tony: The mailing list brought up concerns about XSS. Though, once you have XSS on your page, all bets are off.

Jatinder: IE9 has a XSS filter that blocks XSS on sites. Other UAs may have this, which will mitigate this concern.
... What about the opt-out option mentioned in the mailing list? Is this something we should consider?

<plh> "User agents must not send location information to Web sites without the express permission of the user."

<plh> http://www.w3.org/TR/geolocation-API/#security

James: If we are to draw a line on the opt-out option, we should let user's opt-out of all of web timing, not just the third party restrictions.

Karen: I would prefer if we allowed user's to just turn on the third-party restrictions, not all of web timing.

Zhiheng: I agree to not allow turn off all web timings.

Jatinder: Considering when you visit a site that site already has this information. That site can sell this information to third-parties. To mitigate such a risk, sites use a privacy policy to tell users they aren't selling this information. Seems like when a site uses the http header to give this information to third parties is not much different. Privacy policies should stop sites from using the header. I don't think there is a difference.

Arvind: I think we all agree to keep the spec as is.

Tony: The spec should include this discussion and our mitigation to make this clear to readers.

ACTION Jatinder to update Resource Timing security/privacy section.

<trackbot> Created ACTION-55 - Update Resource Timing security/privacy section. [on Jatinder Mann - due 2011-10-26].

Zhihend: Per my action item, looks like the HTML5 references are good. But I am still in process of finishing this.

Jatinder: We should target to have this data for TPAC. That will be a good data point in this discussion.

Plh: There are two tests that Firefox is failing on. We should figure out whether there is a test case bug or if it is a Firefox bug.

Karen: Yes, I was hoping we can discuss. Boris and I have a discussion on the mailing list.
... We may want to re-evaluate the header. I will follow up with the IE Security team.

Page Visibility Test Cases and Specs

Jatinder: With the spec updates I've made, we have closed on many of the spec questions Boris brought up. The remaining issue was whether Page Visibilty should change state on navigate away.

Arvind: I think the spec should be updated to make it clear that on navigate away, Visibility shouldn't be changed.

Karen: Also, in the unload cancel case, the Visibility may be hidden for a moment, even though the Page has always been visible.

Jatinder: I will see if we can update the spec to make this point clear.
... Please review the Page Visibility test cases. Once we are happy with the changes, I can move the tests to the approved directory.
... Also, should we keep the prefixes in the test cases or test what the spec says?

plh: We can keep the prefixes in the test cases for now. When we go to CR, we need to remove them so we are testing the spec.

Jatinder: Agreed.

Karen: When you go to http://w3c-test.org/webperf/tests/approved/navigation-timing/html5/test_document_open.html, I get a 404 message stating "timing/resources/blank_page_yellow.htm was not found on this server."

Summary of Action Items

[End of minutes]
Minutes formatted by David Booth's scribe.perl version 1.136 (CVS log)
$Date: 2011/10/19 21:37:35 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.136  of Date: 2011/05/12 12:01:43  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

No ScribeNick specified.  Guessing ScribeNick: JatinderMann
Inferring Scribes: JatinderMann

WARNING: Replacing list of attendees.
Old list: Plh +1.650.253.aaaa +43.664.853.aabb [Microsoft] +1.650.214.aacc +44.207.881.aadd
New list: Plh [Microsoft] +1.650.253.aaaa

Default Present: Plh, [Microsoft], +1.650.253.aaaa
Present: Plh [Microsoft] +1.650.253.aaaa Jatinder Arvind Alois Philippe JamesS TonyG Karen

WARNING: No meeting chair found!
You should specify the meeting chair like this:
<dbooth> Chair: dbooth

Found Date: 19 Oct 2011
Guessing minutes URL: http://www.w3.org/2011/10/19-webperf-minutes.html
People with action items:
[End of scribe.perl diagnostic output]