[Resource Timing] Test XO redirection sandwich with and without TAO

[yoavweiss]

Add a test to make sure that a Same-Origin=>Cross-Origin=>Same-origin redirection chain is not exposing timing information unless Timing-Allow-Origin is set.

Partially fixes w3c/resource-timing#152

[annevk]

Going from the description, do you require Timing-Allow-Origin on each response in the chain?

[wpt-pr-bot]

There are no reviewers for this pull request besides its author. Please reach out on W3C's irc server (irc.w3.org, port 6665) on channel #testing (web client) to get help with this. Thank you!

[yoavweiss]

Going from the description, do you require Timing-Allow-Origin on each response in the chain?

The "with TAO" test does indeed have TAO on each response other than the last one (which is same origin). Is there value in making sure that only cross-origin responses have TAO?

[annevk]

The last one also needs to have it, if you ever went cross-origin. Otherwise you have a different design from CORS which seems bad for security (as I tried to explain in the corresponding issue and maybe also some other PR in that repo).

[npm1]

Test looks good to me, we should have tests for these sandwiches now instead of waiting on the integration with fetch which will make it consistent with CORS. Do you mind adding a comment in multi_redirect.py to be precise about what it is doing?

[yoavweiss]

@annevk - PTAL. This tests the current behavior that's specified and implemented for TAO, which is to not require TAO on same-origin after a cross-origin redirect. I plan to try and align the behavior with CORS as part of L3, but want to first document and test what's implemented today.

[npm1]

LGTM

[Hexcles]

Force-merging because a file in common/ was modified, affecting too many tests and causing stability checks to time out.