[minutes] 20111019 Web Performance WG Teleconference #52

Meeting Summary:



1.      Timing Spec Updates

a.       Spec Updates

Based on ACTION-52, 53 and 54, Spec updates were made to Resource Timing, User Timing and Performance Timeline specifications.



b.       Dependencies on HTML5

Zhiheng is continuing his investigation to ensure dependencies on the HTML5 specification are stable. So far he has not found any case where things are different. He plans to complete this investigation, ACTION-51, prior to our TPAC meeting.



2.      Timing Spec Test Cases

The http://w3c-test.org/webperf/tests/approved/navigation-timing/html5/test_timing_xserver_redirect.html was changed to use document.location.hostname instead of document.location.host; this causes the test to work in all browsers.



The http://w3c-test.org/webperf/tests/approved/navigation-timing/html5/test_document_open.html gives a 404 message stating "timing/resources/blank_page_yellow.htm was not found on this server." Philippe will investigate a fix here.



Karen is following up to see if there is a test bug in http://w3c-test.org/webperf/tests/approved/navigation-timing/html5/test_timing_attributes_order.html test case or if it is a Firefox bug.



3.      Resource Timing Security / Privacy Review

Based on the discussion on the public-web-security mailing list, http://lists.w3.org/Archives/Public/public-web-security/2011Oct/0019.html, it appears that our current cross-origin restrictions are sufficient to mitigate most security and privacy risks. Further, with the cross-origin restrictions, Resource Timing doesn't make the privacy concern any worse than what can be found today using load events via script to determine cache hits and misses. Further, we don't feel the Resource Timing option to allow sites override the cross-origin restrictions makes things any worse, as sites can already share that data out of band with third parties.



We have opened ACTION-55 to update the Resource Timing Security and Privacy sections with the background information we have found and to make our current position clear in the spec, so that this topic can be considered closed.



The IE team is following up with their security team to re-iterate that this design is acceptable.



4.      Page Visibility Feedback

a.       Spec Feedback

The working group hasn't seen any strong data or use cases to consider changing the visibility state during page unload. We will make the specification clear that no specific action will be taken on page unload outside of the current visibility checks.



b.       Test Cases

Microsoft has uploaded 6 Page Visibility test cases. The Working Group will review the test cases for correctness by next week's meeting. If there are no test cases bugs, these test cases will be moved to the approved folder.



Action Items:
ACTION-51 - Look at NT references to HTML5 and see if those parts of the spec are stable. [on Zhiheng Wang].
ACTION-55 - Update Resource Timing security/privacy section. [on Jatinder Mann - due 2011-10-26].


Detailed Notes:



Web Perf Teleconference #52 10/19/2011



IRC log: http://www.w3.org/2011/10/19-webperf-irc


Meeting Minutes: http://www.w3.org/2011/10/19-webperf-minutes.html



Attendees

Present for Navigation Timing, Resource Timing and User Timing (4-5PM EST/1-2PM PST)

Philippe Le Hegaret, Jatinder Mann, Arvind Jain, Karen Anderson, Alois Reitbauer, Tony Gentilcore, James Simonsen, Zhiheng Wang


Present for Page Visibility, Efficient Script Yielding, Display Paint Notifications (4-5PM EST/2-3PM PST)

Philippe Le Hegaret, Jatinder Mann, Arvind Jain, Karen Anderson



Scribe

Jatinder Mann



Contents

Agenda

1.       Timing Spec Updates

2.       Resource Timing Security / Privacy Review

3.       Timing Spec Test Cases Review

4.       Page Visibility Feedback

5.       Page Visibility Test Case Feedback



--------------------------------------------------------------------------------





Arvind: FYI, Andriod has started to implement NavigationTiming.

Jatinder: IE9 on Mango also supports Navigation Timing.
Timing Spec Updates

Jatinder: I have gone ahead and made spec updates to comply with ACTION-52, 53, and 54. Please go ahead and review the changes.
... I have also updated test_timing_xserver_redirect.html to change the document.location.host to document.location.hostname. This fixes the issues on all browsers. Please do review.
Resource Timing Security/Privacy Review

Tony: The discussion with the public-web-security mailing list is given here: http://lists.w3.org/Archives/Public/public-web-security/2011Oct/0019.html

Jatinder: Based on cache hits and misses, malicious entities can determine with strong certainty when a resource is from a third party site. Based on our currenty third party restrictions, we don't give any additional information than what can already be determined today.

Tony: The mailing list brought up concerns about XSS. Though, once you have XSS on your page, all bets are off.

Jatinder: IE9 has a XSS filter that blocks XSS on sites. Other UAs may have this, which will mitigate this concern.
... What about the opt-out option mentioned in the mailing list? Is this something we should consider?

<plh> "User agents must not send location information to Web sites without the express permission of the user."

<plh> http://www.w3.org/TR/geolocation-API/#security

James: If we are to draw a line on the opt-out option, we should let user's opt-out of all of web timing, not just the third party restrictions.

Karen: I would prefer if we allowed user's to just turn on the third-party restrictions, not all of web timing.

Zhiheng: I agree to not allow turn off all web timings.

Jatinder: Considering when you visit a site that site already has this information. That site can sell this information to third-parties. To mitigate such a risk, sites use a privacy policy to tell users they aren't selling this information. Seems like when a site uses the http header to give this information to third parties is not much different. Privacy policies should stop sites from using the header. I don't think there is a difference.

Arvind: I think we all agree to keep the spec as is.

Tony: The spec should include this discussion and our mitigation to make this clear to readers.

ACTION Jatinder to update Resource Timing security/privacy section.

<trackbot> Created ACTION-55 - Update Resource Timing security/privacy section. [on Jatinder Mann - due 2011-10-26].

Zhihend: Per my action item, looks like the HTML5 references are good. But I am still in process of finishing this.

Jatinder: We should target to have this data for TPAC. That will be a good data point in this discussion.

Plh: There are two tests that Firefox is failing on. We should figure out whether there is a test case bug or if it is a Firefox bug.

Karen: Yes, I was hoping we can discuss. Boris and I have a discussion on the mailing list.
... We may want to re-evaluate the header. I will follow up with the IE Security team.
Page Visibility Test Cases and Specs

Jatinder: With the spec updates I've made, we have closed on many of the spec questions Boris brought up. The remaining issue was whether Page Visibilty should change state on navigate away.

Arvind: I think the spec should be updated to make it clear that on navigate away, Visibility shouldn't be changed.

Karen: Also, in the unload cancel case, the Visibility may be hidden for a moment, even though the Page has always been visible.

Jatinder: I will see if we can update the spec to make this point clear.
... Please review the Page Visibility test cases. Once we are happy with the changes, I can move the tests to the approved directory.
... Also, should we keep the prefixes in the test cases or test what the spec says?

plh: We can keep the prefixes in the test cases for now. When we go to CR, we need to remove them so we are testing the spec.

Jatinder: Agreed.

Karen: When you go to http://w3c-test.org/webperf/tests/approved/navigation-timing/html5/test_document_open.html, I get a 404 message stating "timing/resources/blank_page_yellow.htm was not found on this server."