Protect Resource Timing's workerStart behind a Timing-Allow-Origin check

The change avoids the exposure of workerStart timestamps for cross origin iframes without explicit opt-in from the cross-origin server.

Reduce the information exposed across origins, and prevent the fingerprintability and information exfiltration that exposing workerStart for cross-origin iframes enables.



Editor's draft

Status in Chromium


In development (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • No public signals
  • No public signals
  • No public signals
  • No signals


Last updated on 2019-11-25