Make TAO a subset of CORS

[yoavweiss]

The current timing allow check algorithm does not take CORS into account. Effectively that means that even when a response is not opaque and its contents can be inspected by script, its detailed timing information will not be available.

I believe that if a request's response is available for inspection, its timing information cannot reveal any new information, so there's no reason for us to gate it on the presence of TAO headers. Therefore, I propose to further integrate the timing allow check with the CORS check, so that if the latter passes, the former passes as well.

/cc @annevk

[annevk]

I agree with what you're going for here, but to be clear, you cannot perform a CORS check on an arbitrary response. If you fetch something with mode "cors" and you get a response, all is good. You want https://html.spec.whatwg.org/#cors-same-origin which at some point we should uplift to Fetch I suppose. (This is also what's wrong with the timing allow check and putting the focus on that. It's really a property of the entire fetching process as this kind of check needs to be applied to each applicable redirect, etc.)

[yoavweiss]

Discussed on the WG call:

• This will require a security/privacy review to make sure this doesn't enable any attack scenarios
• We need to evaluate the impact (AI on @nicjansma & @yoavweiss to gather data)
• This requires Fetch integration, so makes sense to push this to L3

[annevk]

I don't think it makes sense to continue pushing everyone out that requires Fetch integration, as you're effectively postponing rather critical infrastructure issues.

[yoavweiss]

@annevk - opened #179 as this is an orthogonal discussion to this specific issue. Let's have it there.

[nicjansma]

I did a crawl of the Alexa 1K and split resources out into 4 categories:

• Fully Visible: Available in ResourceTiming and have full timing information (same-origin or have TAO)
• Restricted: Available in ResourceTiming and have partial timing (cross-origin without TAO)
  • Allowed by CORS: Restricted entries that have a ACAO header
• Missing: Not available in ResourceTiming (fetched from a cross-origin IFRAME)

Here's the Alexa 1K totals:

• Resources: 106,152
  • Fully Visible: 29,497 (27%)
  • Restricted: 56,889 (53.5%)
    • Allowed by CORS: 23,991 (42% of Restricted)
  • Missing: 19,766 (18%)

So if we were to apply the CORS check if TAO is missing, around 42% of Restricted entries could made Fully Visible, and the overall Fully Visible entries might increase from around 27% to around 50%.

(note I didn't verify if the ACAO header satisfies the CORS check, just the existence of one)