-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Content-type in Resource Timing #88
Comments
I've been reviewing whatwg/fetch#1481 and from that perspective this seems like a reasonable addition. For revealing the (parsed value of the) |
Could we restrict the allowed revealed content types to the values of Request.destination? That would prevent unique identifiers from being included in the strings. |
Can't they already communicate unique identifiers to the requesting origin if they so desire? |
Apologies for the delay here. I wanted to circle back with Alex when the various PRs got more concrete, but life happened. We're supportive of this feature, but would like to see two changes to prevent passive leakage of data as this header is not otherwise broadcasted when embedding images, scripts, etc.:
I would be willing to set up the infrastructure for this in MIME Sniffing so you can pass an algorithm there a MIME type and get a filtered one back. (My tentative thinking is that it would do some deduplication for JSON/XML/JS and then fallback to https://mimesniff.spec.whatwg.org/#supported-by-the-user-agent which while not great, is probably good enough until we're happy to just write out the full list.) Does that seem reasonable @abinpaul1 @yoavweiss? |
That works for me, thank you!! :) |
See WebKit/standards-positions#88 (comment) for rationale. whatwg/fetch#1481 will be updated to call this.
See WebKit/standards-positions#88 (comment) for rationale. whatwg/fetch#1481 will be updated to call this.
I should have done this earlier, but let's label this as "position: support" one week from now given our feedback has been taken into account. Thanks @yoavweiss and @abinpaul1 for your help! |
Request for position on an emerging web specification
Information about the spec
Design reviews and vendor positions
Bugs tracking this feature
Anything else we need to know
Link to entry on the Chrome Platform Status: https://chromestatus.com/feature/5156068351541248
The text was updated successfully, but these errors were encountered: