processResponseDone should receive a response #1202
Conversation
There was a problem hiding this comment.
I think this is problematic as this would distinguish a CORS network error from other network errors. That they are indistinguishable is a desirable security property.
Can we still remove this from implementations?
I checked other network errors, such as a bad port, and we don't seem to be creating RT entries there, but I haven't done exhaustive testing for all possible network errors.
I'm also a bit concerned that somewhere we might do if "response is a network error, return a network error" which would drop this kind of information. I don't think we've audited that as there hasn't been a reason for it thus far.
fetch.bs
Outdated
| @@ -4019,7 +4027,7 @@ steps: | |||
|
|
|||
| <li><p>Set <var>response</var>'s <a for="response">timing info</a> to <var>timingInfo</var>. | |||
|
|
|||
| <li><p><a href="https://github.com/w3c/resource-timing/pull/261">Mark resource timing</a> for | |||
| <li><p><span>Mark resource timing</span> for | |||
fetch.bs
Outdated
| <a for=/>fetch timing info</a> with its <a for="fetch timing info">start time</a> and its | ||
| <a for="fetch timing info">post-redirect start time</a> set to <var>fetchParams</var>'s | ||
| <a for="fetch params">timing info</a>'s <a for="fetch timing info">start time</a>, and | ||
| its <a for="fetch timing info">end time</a> set to the <a for=/>coarsened shared current |
fetch.bs
Outdated
| <a>CORS check</a> for <var>request</var> and <var>response</var> returns failure, then return a | ||
| <a>network error</a>. | ||
| <a>CORS check</a> for <var>request</var> and <var>response</var> returns failure, then: | ||
| <ul> |
annevk
added
security/privacy
All network errors that come after the CORS check should go through |
|
Added #1215 to address the CORS/network error issue |
We expose errors in RT to prevent an attacker from distinguishing HTTP status codes (success vs errors). Would something similar apply here for CORS or not really (distinguishing success vs failed)? |
|
I see where the confusion lies. A HTTP status code of 4xx, 5xx, or even 9xx is not a network error. That's a normal response as far as fetch is concerned. A network error is something more fundamental or the result of a security policy, e.g.:
Whether a response with a non-2xx HTTP status code results in an "error" depends on the endpoint. For I think in principle we could do one of these:
But what we cannot do (in my opinion) is distinguish between network errors. |
fetch.bs
Outdated
| <var>timingInfo</var>, <var>originalURL</var>, <var>initiatorType</var>, and <var>global</var>. | ||
| <!-- TODO --> | ||
| <li><p> | ||
| <a href="https://w3c.github.io/resource-timing/#dfn-mark-resource-timing">Mark resource timing</a> |
There was a problem hiding this comment.
Why is this needed, is it not exported? Let's export it first.
There was a problem hiding this comment.
Sure, waiting for Resource-Timing to be published to TR (bikeshed vs. Respec stuff).
There was a problem hiding this comment.
Removing this bit for now, will update once the refs are resolvable.
fetch.bs
Outdated
|
|
||
| <li><p>Set <var>timingInfo</var>'s <a for="fetch timing info">end time</a> to | ||
| the <a for=/>coarsened shared current time</a> given <var>fetchParams</var>'s | ||
| <a for="fetch params">cross-origin isolated capability</a>. |
There was a problem hiding this comment.
Why do we need to set end time twice?
There was a problem hiding this comment.
We don't actually. Removing.
fetch.bs
Outdated
| <!-- TODO --> | ||
| <li><p> | ||
| <a href="https://w3c.github.io/resource-timing/#dfn-mark-resource-timing">Mark resource timing</a> | ||
| for <var>timingInfo</var>, <var>originalURL</var>, <var>initiatorType</var>, <var>global</var> and |
fetch.bs
Outdated
| <a for="fetch timing info">start time</a> and | ||
| <a for="fetch timing info">post-redirect start time</a> are <var>timingInfo</var>'s | ||
| <a for="fetch timing info">start time</a>. | ||
| <li><p>If <var>response</var>'s <a for=response>timing allow passed flag</a> is not set, then |
There was a problem hiding this comment.
As this <li> contains multiple flow elements the <p> needs to indented on a newline.
|
(I'm still okay with landing this modulo the above comments and leaving the error question to #1215.) |
Let's continue the discussion in #1215. |
fetch.bs
Outdated
| <li><p>Set <var>fetchParams</var>'s <a for="fetch params">request</a>'s | ||
| <a for=request>done flag</a>. | ||
|
|
||
| <li><p>If <var>timingInfo</var> is null, then return. |
There was a problem hiding this comment.
Why do we have this here and also below in finalize and report timing? It seems this doesn't need to be here and you should get process response done either way?
fetch.bs
Outdated
| <p>If <var>response</var>'s <a for=response>timing allow passed flag</a> is not set, then | ||
| perform the following steps: | ||
| <ol> | ||
| <li><p>Set <var>timingInfo</var> to a new <a for=/>fetch timing info</a> whose |
| @@ -4017,9 +4029,10 @@ steps: | |||
|
|
|||
| <li><p>Set <var>response</var>'s <a for="response">timing info</a> to <var>timingInfo</var>. | |||
|
|
|||
| <li><p><a href="https://github.com/w3c/resource-timing/pull/261">Mark resource timing</a> for | |||
| <var>timingInfo</var>, <var>originalURL</var>, <var>initiatorType</var>, and <var>global</var>. | |||
| <!-- TODO --> | |||
| @@ -1932,10 +1932,6 @@ message as HTTP/2 does not support them. | |||
| <dfn export for=response id=concept-response-cache-state>cache state</dfn> (the empty string or | |||
| "<code>local</code>"). Unlesss stated otherwise, it is the empty string. | |||
|
|
|||
| <p class=note>This is intended solely for usage by service workers. [[SW]] | |||
| <!-- If we ever expand the utility of this we need to carefully consider whether filtered responses | |||
| need to mask it, whether the cache API needs to store it, etc. --> | |||
There was a problem hiding this comment.
I think we should keep this including the comment and instead say something like
This is intended for usage by <cite>Service Workers</cite> and <cite>Resource Timing</cite>.
I guess for Resource Timing we also need opaque responses (that have TAO) to leak this information. I'll have a look if that needs more work.
Only call processResponseDone for responses that have their timing info set, which are responses that have passed CORS and redirects. Closes whatwg#1201
Reset all metrics except for start/end time to zero.
|
@noamr I think it would be good if there was a corresponding PR to Resource Timing the commit could link to for it acknowledging the new cacheState argument. |
It’s already there in the editors draft. |
|
I found the link above, it's w3c/resource-timing#266. |
Only call processResponseDone for responses that have their
timing info set, which are responses that have passed CORS
and redirects.
Closes #1201
Preview | Diff