From 1ff5ac20807221180506f2b49e8a87abbdee6dd8 Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Tue, 10 Feb 2026 10:36:20 +0000 Subject: [PATCH 1/4] Clarify informative notes about cross-origin --- index.html | 63 +++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 46 insertions(+), 17 deletions(-) diff --git a/index.html b/index.html index a290cbb..be946fd 100644 --- a/index.html +++ b/index.html @@ -1043,13 +1043,20 @@

Cross-origin Resources

-

- As detailed in [=Fetch=], requests for cross-origin resources are - included as PerformanceResourceTiming objects in the - Performance - Timeline. If the timing - allow check algorithm fails for a cross-origin resource, the +

+ Introduction +

+

+ This section is non-normative. +

+ +As detailed in [=Fetch=], requests for cross-origin resources are +included as PerformanceResourceTiming objects in the + Performance + Timeline. +

+ If the timing + allow check algorithm fails for a cross-origin resource, the entry will be an [=create an opaque timing info|opaque entry=]. Such entries have most of their attributes masked in order to prevent leaking cross-origin data that isn't otherwise exposed. So, for an @@ -1066,23 +1073,45 @@

{{PerformanceResourceTiming/firstInterimResponseStart}}, {{PerformanceResourceTiming/finalResponseHeadersStart}}, {{PerformanceResourceTiming/responseStart}}, - {{PerformanceResourceTiming/secureConnectionStart}}, - {{PerformanceResourceTiming/transferSize}}, - {{PerformanceResourceTiming/encodedBodySize}}, and - {{PerformanceResourceTiming/decodedBodySize}}. Further, the - {{PerformanceResourceTiming/nextHopProtocol}} attribute will be set - to the empty string. + {{PerformanceResourceTiming/secureConnectionStart}}. Further, the + {{PerformanceResourceTiming/nextHopProtocol}} attribute will be set + to the empty string.

- Server-side applications may return the Timing-Allow-Origin - HTTP response header to allow the User Agent to fully expose, to the - document origin(s) specified, the values of attributes that would - have been zero due to those cross-origin restrictions. + Some of the properties, like {{PerformanceResourceTiming/contentType}}, + {{PerformanceResourceTiming/encodedBodySize}}, and + {{PerformanceResourceTiming/decodedBodySize}} are set to zero (or the empty string in the case of + {{PerformanceResourceTiming/contentType}}) when the response is CORS-cross-origin. + + {{PerformanceResourceTiming/transferSize}} is affected both by the timing + allow check and by the CORS-cross-origin status. +

+ +

+ For requests handled by a [=service worker=] using {{FetchEvent/respondWith()}}, the reported timing data reflects the + interaction between + the client and the service worker, + rather than the service worker's own internal network activity. + For example, the service worker might respond to a same-origin request with a cross-origin response or vice versa, + or return a cached or synthetic response to either. + Given that, resources forwarded from a service worker do not tell the whole story + of fetching the resource, and do not go through the timing + allow check. + To get the full information about those fetches, the service worker's own performance timeline + can be inspected. [[SERVICE-WORKERS]]

+

Timing-Allow-Origin Response Header

+

+ Server-side applications may return the Timing-Allow-Origin + HTTP response header to allow the User Agent to fully expose, to the + document origin(s) specified, the values of attributes that would + have been zero due to those cross-origin restrictions. +

The Timing-Allow-Origin HTTP response header field can be used to communicate a policy indicating origin(s) that may be From 72122db198eee1ef36c1cbc1912afa3b15b3434f Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Tue, 10 Feb 2026 11:26:19 +0000 Subject: [PATCH 2/4] Add links to fetch --- index.html | 114 ++++++++++++++++++++++++++++------------------------- 1 file changed, 61 insertions(+), 53 deletions(-) diff --git a/index.html b/index.html index be946fd..7b1421e 100644 --- a/index.html +++ b/index.html @@ -66,20 +66,20 @@ github: "https://github.com/w3c/resource-timing/", caniuse: "resource-timing", xref: { - specs: ["hr-time-3", "performance-timeline", "service-workers" ,"xhr"], + specs: ["hr-time-3", "performance-timeline", "service-workers", "xhr"], profile: "web-platform", - }, + }, - localBiblio: { - INCREMENTAL_FONT_TRANSFER: { - title: "Incremental Font Transfer", - href: "https://www.w3.org/TR/IFT/", + localBiblio: { + INCREMENTAL_FONT_TRANSFER: { + title: "Incremental Font Transfer", + href: "https://www.w3.org/TR/IFT/", + }, + EARLY_HINTS: { + title: "Early hints", + href: "https://httpwg.org/specs/rfc8297.html", + } }, - EARLY_HINTS: { - title: "Early hints", - href: "https://httpwg.org/specs/rfc8297.html", - } - }, }; @@ -458,20 +458,21 @@

"body", if the request is a result of processing the [^body^] element's background attribute that's already obsolete. - -
  • -

    +

  • +
  • +

    "css", if the request is a result of processing a - CSS url() directive such as @import - url() or background: url(); [[CSS-VALUES]] -

    -

    - Note: the request for a font resource specified with - @font-face in CSS is a result of processing a CSS - directive. Therefore, the `initiatorType` for this font - resource is "css". -

    + CSS url() directive such as @import + url() or + background: url(); + [[CSS-VALUES]] +

    +

    + Note: the request for a font resource specified with + @font-face in CSS is a result of processing a CSS + directive. Therefore, the `initiatorType` for this font + resource is "css". +

  • "script", if the request is a result of loading any @@ -486,8 +487,8 @@

    "font", if the request is the result of processing fonts. This can happen when fonts request subsequent resources, e.g, when [[[INCREMENTAL_FONT_TRANSFER]]] is used. -

  • -
  • +
  • +
  • "fetch", if the request is the result of processing the {{WindowOrWorkerGlobalScope/fetch()}} method;
  • @@ -535,20 +536,20 @@

  • "embed", if the request is the result of processing an [^embed^] element's [^embed/src^]. -
  • -
  • - "link", if the request is the result of processing - an [^link^] element. -
  • -
  • - "object", if the request is the result of processing - an [^object^] element. -
  • -
  • - "early-hints", if the request is the result of - processing an [[[EARLY_HINTS]]] response. -
  • -
  • +
  • +
  • + "link", if the request is the result of processing + an [^link^] element. +
  • +
  • + "object", if the request is the result of processing + an [^object^] element. +
  • +
  • + "early-hints", if the request is the result of + processing an [[[EARLY_HINTS]]] response. +
  • +
  • "other", if none of the above conditions match.
  • @@ -768,9 +769,9 @@

    The contentEncoding getter steps are to return this's resource - info 's [=response body info/content encoding=]. -

    -

    + info 's [=response body info/content encoding=]. +

    +

    The renderBlockingStatus getter steps are to return blocking if this's timing @@ -780,25 +781,25 @@

    The workerRouterEvaluationStart getter steps are to return this's timing - info's [=fetch timing info/service worker timing info=]'s + info's [=fetch timing info/service worker timing info=]'s [=service worker timing info/worker router evaluation start=].

    The workerCacheLookupStart getter steps are to return this's timing - info's [=fetch timing info/service worker timing info=]'s + info's [=fetch timing info/service worker timing info=]'s [=service worker timing info/worker cache lookup start=].

    The workerMatchedRouterSource getter steps are to return this's timing - info's [=fetch timing info/service worker timing info=]'s + info's [=fetch timing info/service worker timing info=]'s [=service worker timing info/worker matched router source=].

    The workerFinalRouterSource getter steps are to return this's timing - info's [=fetch timing info/service worker timing info=]'s + info's [=fetch timing info/service worker timing info=]'s [=service worker timing info/worker final router source=].

    @@ -1061,7 +1062,7 @@

    entries have most of their attributes masked in order to prevent leaking cross-origin data that isn't otherwise exposed. So, for an [=create an opaque timing info|opaque entry=], the following - attributes will be set to zero: + attributes will always return zero or the empty string: {{PerformanceResourceTiming/redirectStart}}, {{PerformanceResourceTiming/redirectEnd}}, {{PerformanceResourceTiming/workerStart}}, @@ -1073,13 +1074,11 @@

    {{PerformanceResourceTiming/firstInterimResponseStart}}, {{PerformanceResourceTiming/finalResponseHeadersStart}}, {{PerformanceResourceTiming/responseStart}}, - {{PerformanceResourceTiming/secureConnectionStart}}. Further, the - {{PerformanceResourceTiming/nextHopProtocol}} attribute will be set - to the empty string. + {{PerformanceResourceTiming/secureConnectionStart}}, and {{PerformanceResourceTiming/nextHopProtocol}}.

    - Some of the properties, like {{PerformanceResourceTiming/contentType}}, - {{PerformanceResourceTiming/encodedBodySize}}, and + Some of the properties, like {{PerformanceResourceTiming/contentType}}, + {{PerformanceResourceTiming/encodedBodySize}}, and {{PerformanceResourceTiming/decodedBodySize}} are set to zero (or the empty string in the case of {{PerformanceResourceTiming/contentType}}) when the response is CORS-cross-origin. @@ -1100,6 +1099,15 @@

    allow check. To get the full information about those fetches, the service worker's own performance timeline can be inspected. [[SERVICE-WORKERS]] + +

    + For more details, see HTTP Fetch #4 - the timing + allow check is only performed when there is no response from the service worker. + In addition, the [=response=] cloned in the {{FetchEvent/respondWith()}} algorithm does not carry the [=/fetch timing + info=] + of the internal fetch, as that information is attached to a fetch rather than to a [=response=]. +

    From 6be3d8c0470630a92c338290a825f973f0e54cad Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Tue, 10 Feb 2026 11:27:30 +0000 Subject: [PATCH 3/4] encoded --- index.html | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/index.html b/index.html index 7b1421e..fa9a74a 100644 --- a/index.html +++ b/index.html @@ -462,8 +462,9 @@

  • "css", if the request is a result of processing a - CSS url() directive such as @import - url() or + CSS url() directive such as + @import + url() or background: url(); [[CSS-VALUES]]

    @@ -1078,13 +1079,13 @@

    Some of the properties, like {{PerformanceResourceTiming/contentType}}, - {{PerformanceResourceTiming/encodedBodySize}}, and - {{PerformanceResourceTiming/decodedBodySize}} are set to zero (or the empty string in the case of - {{PerformanceResourceTiming/contentType}}) when the response is CORS-cross-origin. + and {{PerformanceResourceTiming/decodedBodySize}} are set to zero (or the empty string in the case of + {{PerformanceResourceTiming/contentType}}) when the response is CORS-cross-origin. - {{PerformanceResourceTiming/transferSize}} is affected both by the timing - allow check and by the CORS-cross-origin status. + {{PerformanceResourceTiming/encodedBodySize}} and {{PerformanceResourceTiming/transferSize}} are affected both by the + timing + allow check and by the CORS-cross-origin status.

    From 6e1649a09e97d669959fac57480fc48ed42a1380 Mon Sep 17 00:00:00 2001 From: Noam Rosenthal Date: Tue, 10 Feb 2026 11:29:16 +0000 Subject: [PATCH 4/4] Revert "encoded" This reverts commit 6be3d8c0470630a92c338290a825f973f0e54cad. --- index.html | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/index.html b/index.html index fa9a74a..7b1421e 100644 --- a/index.html +++ b/index.html @@ -462,9 +462,8 @@

  • "css", if the request is a result of processing a - CSS url() directive such as - @import - url() or + CSS url() directive such as @import + url() or background: url(); [[CSS-VALUES]]

    @@ -1079,13 +1078,13 @@

    Some of the properties, like {{PerformanceResourceTiming/contentType}}, - and {{PerformanceResourceTiming/decodedBodySize}} are set to zero (or the empty string in the case of - {{PerformanceResourceTiming/contentType}}) when the response is CORS-cross-origin. + {{PerformanceResourceTiming/encodedBodySize}}, and + {{PerformanceResourceTiming/decodedBodySize}} are set to zero (or the empty string in the case of + {{PerformanceResourceTiming/contentType}}) when the response is CORS-cross-origin. - {{PerformanceResourceTiming/encodedBodySize}} and {{PerformanceResourceTiming/transferSize}} are affected both by the - timing - allow check and by the CORS-cross-origin status. + {{PerformanceResourceTiming/transferSize}} is affected both by the timing + allow check and by the CORS-cross-origin status.