-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Resource Timing] Test XO redirection sandwich with and without TAO #13518
Conversation
Going from the description, do you require Timing-Allow-Origin on each response in the chain? |
There are no reviewers for this pull request besides its author. Please reach out on W3C's irc server (irc.w3.org, port 6665) on channel #testing (web client) to get help with this. Thank you! |
The "with TAO" test does indeed have TAO on each response other than the last one (which is same origin). Is there value in making sure that only cross-origin responses have TAO? |
The last one also needs to have it, if you ever went cross-origin. Otherwise you have a different design from CORS which seems bad for security (as I tried to explain in the corresponding issue and maybe also some other PR in that repo). |
Test looks good to me, we should have tests for these sandwiches now instead of waiting on the integration with fetch which will make it consistent with CORS. Do you mind adding a comment in multi_redirect.py to be precise about what it is doing? |
@annevk - PTAL. This tests the current behavior that's specified and implemented for TAO, which is to not require TAO on same-origin after a cross-origin redirect. I plan to try and align the behavior with CORS as part of L3, but want to first document and test what's implemented today. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Force-merging because a file in |
Access self.location instead of window.location. Fixes web-platform-tests#13518.
Access self.location instead of window.location. Fixes #13518.
…13518) Add a test to make sure that a Same-Origin=>Cross-Origin=>Same-origin redirection chain is not exposing timing information unless Timing-Allow-Origin is set. Partially fixes w3c/resource-timing#152
Access self.location instead of window.location. Fixes #13518.
Add a test to make sure that a Same-Origin=>Cross-Origin=>Same-origin redirection chain is not exposing timing information unless Timing-Allow-Origin is set.
Partially fixes w3c/resource-timing#152