Report iframe & frame resource timing

[noamr]

• At least two implementers are interested (and none opposed):

  • Already implemented, as of Clarify RT entry creation when iframe changes src w3c/resource-timing#316 all implementers are interested in aligning.

• Tests are written and can be reviewed and commented upon at:

  • Test that RT entries are created at the right time for iframes web-platform-tests/wpt#32490, ResourceTiming: Add some scenarios to iframe RT test web-platform-tests/wpt#32527, Frameset resource timing web-platform-tests/wpt#32617, Iframes with missing redirect location should fire load event and queue RT entry web-platform-tests/wpt#33317
  • Report iframe resource timing also with 204/205 iframes, and don't report for download web-platform-tests/wpt#33402
  • Make sure iframe reports resource timing for non-HTML web-platform-tests/wpt#33403

• Implementation bugs are filed:

  • Chrome: 1290721
  • Safari: 235561, 238246
  • Firefox: Not necessary so far

(See WHATWG Working Mode: Changes for more details.)

---

/browsing-the-web.html ( diff )
/iframe-embed-object.html ( diff )

[domenic]

We should avoid introducing more instances of "source browsing context", per #1130. At least ones outside of the synchronous initial computation.

Can you instead compute a boolean synchronously, something like "initiator is container", and then consult that at "report frame timing" time? You can stuff it into navigation params, so that you don't need to pass it around manually.

[domenic]

I'd prefer these not share a dd; they can each have a separate one just saying "a boolean".

[domenic]

If we keep this, put <var> inside the <dfn>. But per the below I think we should calculate it early in the algorithm, instead.

[domenic]

I think it's better to calculate this using the source browsing context vs. the target browsing context, instead of passing it in as a parameter. As long as we calculate it synchronously.

That would also get you embed and object for free, kinda? At least in the cases where they're behaving like nested browsing contexts. (Which embed doesn't in the spec, but does in practice; see #513 .)

[domenic]

I kind of changed my mind here; see #7554 (review) . We don't want embed/object to trigger this since you're doing it separately over in #7554.

However in that case I think we should rename the parameter. Something like "needs to report resource timing" maybe? Because for embed and object, "is container-initiated" could be true; it's just that we don't want to report resource timing for them since we're doing it separately.

[domenic]

Also need to set it for the javascript: URL case a few lines below this.

[domenic]

Should it be the DOM manipulation or the networking task source? I feel like most of the others are done from the networking task source.

Not sure it matters much in practice...

[domenic]

So, do we not report frame timing when navigating to XHTML/img/video/text/etc. documents? I think all those sections will probably need updating too.

[noamr]

@domenic, apparently this no longer depends on a change in Fetch, the existing finalize algorithm should suffice as Fetch already performs TAO checks for iframes based on the top-level origin at a different stage.

[domenic]

span -> i

[domenic]

Let's stick with keeping dd/dt pairs 1:1 for navigation params, so insert another <dd>a boolean</dd>. Or even better, <dd>a boolean indicating ...</dd> explaining its purpose.

[domenic]

<var> inside the <dfn>

[domenic]

Involving the streams machinery here just to get access to the point in time before the final byte seems bad, since it doesn't match implementations. And, I don't think it will work? Once a chunk passes through the transform, it will probably be parsed, and that happens before the flush algorithm.

I'm not really clear how this is supposed to work, in general. We have three events:

A. The resource timing entry is sent
B. The browser parses the bytes, e.g. to do preload scanning or tree construction (which might run scripts)
C. The last byte is read from the network

You seem to be claiming that A must be sent before B, and also that A must occur after C. But B occurs way before C.

[noamr]

Involving the streams machinery here just to get access to the point in time before the final byte seems bad, since it doesn't match implementations. And, I don't think it will work? Once a chunk passes through the transform, it will probably be parsed, and that happens before the flush algorithm.

I'm not really clear how this is supposed to work, in general. We have three events:

A. The resource timing entry is sent

B. The browser parses the bytes, e.g. to do preload scanning or tree construction (which might run scripts)

C. The last byte is read from the network

You seem to be claiming that A must be sent before B, and also that A must occur after C. But B occurs way before C.

Fair enough, will have another think about this...

[noamr]

I think the stream machinery does the right thing, but the comment is inaccurate - the reporting might be done after parsing, but before handling the EOF.

I can think of 3 alternatives:

• Keep the current stream foo and update the comment
• Add a processResponseEndOfBody callback to the navigation fetch and report iframe there. It does the streams foo internally in fetch. (this somewhat matches implementations)
• Add separate wording for each resource type (HTML, XML, etc.)

[domenic]

processResponseEndOfBody sounds best to me!

[noamr]

OK, refactored in this spirit and the PR is significantly smaller :)

[noamr]

Anything still missing @domenic?

[domenic]

This <i> needs to be a link, i.e. <i data-x="...">.

[domenic]

This variable is not defined inside "process a navigate fetch". It needs to be threaded through from at least one caller, possibly multiple.

Also, this will only call processResponseEndOfBody for the very first fetch, when response is null. Any redirect fetches afterward will be ignored. Is that the desired timing?

[noamr]

Hmm it's not the desired thing. But not sure how else to use processResponseEndOfBody - we will need to make the same "is this a valid redirect" checks inside processEndOfBody.

I'm thinking that perhaps my previous approach of using a transform stream (a previous revision) is the correct way to do this. It's really a replication of a similar stream in https://fetch.spec.whatwg.org/#fetch-finale that we need to do here because we replicate the redirect mechanics.

[noamr]

Refactored to account for redirects. Not sure if this is simpler/more readable than using a TransformStream, but it would be as correct. WDYT?

[domenic]

I find it weird that we're tracking final response-ness both here and in the rest of the loop. For example, that leads to problems where e.g. the censoring done in step 13.5.10 is not reflected; you can use navigation timing to figure out how long responses blocked by CORP take to read their full body. Maybe that is already handled through additional checks in the navigation timing spec? But it seems very duplicative.

Similarly, I'm unsure whether navigation timing will give you results for 204s, 205s, Content-Disposition: attachment downloads, X-Frame-Options failures, or CSP failures. All of those are handled in "process a navigate response", far disconnected from this algorithm.

The cleanest layering I could imagine would be to handle navigation timing around the same time load events are fired, e.g. in https://html.spec.whatwg.org/#navigate-html. But that would preclude firing navigation timing for some error cases, so I don't know if that would be correct. I'd need additional clarity on which error cases you want to include, to give better advice.

[noamr]

How is this related to navigation timing? This PR is about resource timing for the iframe. It should represent the timing used to fetch the iframe resource, and nothing else. The rest of these concerns are indeed about navigation and not related to this...

Also the implementations are in that spirit - an EOF handler on the iframe fetch that reports to the container if the navigation was container initiated.

[domenic]

I admit I misunderstood/misspoke. However, it's a resource being used for navigation, so I think some of those concerns might apply, especially the security concerns about not wanting to leak data if it is blocked.

[domenic]

Here is another angle of approach. I am pretty sure that in implementations, if you fail a CSP check or X-Frame-Options check or CORP check while doing the initial load of an iframe, we don't proceed to download the whole request body just so we can give you accurate resource timing. Whereas your current PR implies that would be done. It isn't meshing with other parts of the spec which indicate such errors by, e.g., overwriting the response variable with a network error.

I'm less sure about Content-Disposition: attachment cases (maybe we do report the amount of time it takes to download the file?) or 204s/205s where the server gives a body anyway despite that being disallowed by HTTP (maybe Fetch will queue processResponseEndOfBody immediately, ignoring the body)? But at least in cases where the current HTML spec ignores the body, I am doubtful implementations read the whole thing just for resource timing.

[noamr]

I see what you mean, indeed X-Frame-Options and CSP navigate failure should terminate the fetch, and report an opaque entry, as if it was a network error, to resource timing. This is indeed covered with WPT: https://wpt.fyi/results/resource-timing/iframe-failed-commit.html

I also added a WPT for 204/205: web-platform-tests/wpt#33402.

I'll amend the spec. I believe we need to be explicit about navigation failure terminating the fetch, which would solve the issue of fetch continuing all the way through, and we can add reporting there.

[noamr]

Actually there is another handled case, an unknown mime-type, which would cause a download. An RT entry should not be reported in that case. Added a test.

This convinces me that the reporting should be done in the different scenarios such as navigate-html navigate-xml etc, like I did in one of the first PRs.

[noamr]

OK I refactored again to use report inside the mime-type specific handlers. This makes more sense because for non-supported mime-types there is no reporting, and it also takes care of X-Frame-Options and CSP.

One issue that's not properly handled though is TAO checks.
@domenic do you want to see if where I went with this reporting-wise is OK and then I'll add the TAO checks, which is kind of a separate issue, or should I try to add it to the PR first?

[noamr]

OK I refactored again to use report inside the mime-type specific handlers. This makes more sense because for non-supported mime-types there is no reporting, and it also takes care of X-Frame-Options and CSP.

One issue that's not properly handled though is TAO checks. @domenic do you want to see if where I went with this reporting-wise is OK and then I'll add the TAO checks, which is kind of a separate issue, or should I try to add it to the PR first?

OK it's resolved in whatwg/fetch#1422 without need to change anything in the HTML PR.

[domenic]

Looks good, just editorial stuff at this point

[noamr]

Fixed editorial notes