List all the attributes that will get masked when TAO fails (#311)

* List all the attributes that will get masked when TAO fails * Improve description of what/why fields get masked * More wordsmithing * Use implicit reference for 'opaque entry' instead of data-cite
w3c · Jan 13, 2022 · cb5502e · cb5502e
1 parent 99134f1
commit cb5502e
Showing 1 changed file with 15 additions and 7 deletions.
diff --git a/index.html b/index.html
@@ -912,14 +912,20 @@ <h3>
           Cross-origin Resources
         </h3>
         <p class="note" data-dfn-for="PerformanceResourceTiming">
-          As detailed in [=Fetch=], cross-origin resources are included as
-          <a>PerformanceResourceTiming</a> objects in the <a data-cite=
-          "PERFORMANCE-TIMELINE-2#performance-timeline">Performance
-          Timeline</a>. If the <a data-cite="FETCH#concept-tao-check">timing
-          allow check</a> algorithm fails for a resource, the following
-          attributes of its <a>PerformanceResourceTiming</a> object are set to
-          zero: {{PerformanceResourceTiming/redirectStart}},
+          As detailed in [=Fetch=], requests for cross-origin resources are
+          included as <a>PerformanceResourceTiming</a> objects in the
+          <a data-cite= "PERFORMANCE-TIMELINE-2#performance-timeline">
+          Performance Timeline</a>. If the
+          <a data-cite="FETCH#concept-tao-check">timing allow check</a>
+          algorithm fails for a cross-origin resource, the entry will be an
+          [=create an opaque timing info|opaque entry=]. Such entries have most
+          of their attributes masked in order to prevent leaking cross-origin
+          data that isn't otherwise exposed. So, for an
+          [=create an opaque timing info|opaque entry=], the following
+          attributes will be set to zero:
+          {{PerformanceResourceTiming/redirectStart}},
           {{PerformanceResourceTiming/redirectEnd}},
+          {{PerformanceResourceTiming/workerStart}},
           {{PerformanceResourceTiming/domainLookupStart}},
           {{PerformanceResourceTiming/domainLookupEnd}},
           {{PerformanceResourceTiming/connectStart}},
@@ -930,6 +936,8 @@ <h3>
           {{PerformanceResourceTiming/transferSize}},
           {{PerformanceResourceTiming/encodedBodySize}}, and
           {{PerformanceResourceTiming/decodedBodySize}}.
+          Further, the {{PerformanceResourceTiming/nextHopProtocol} attribute
+          will be set to the empty string.
         </p>
         <p>
           Server-side applications may return the <a>Timing-Allow-Origin</a>