feat: support for the Timing-Allow-Origin header in CORS plugin

[skimdz86]

Description

When using the CORS plugin, I'd like to be able to set also the Timing-Allow-Origin header (https://www.w3.org/TR/resource-timing/#sec-timing-allow-origin).

The plugin configuration for this header should be separate from the one dedicated to the Access-Control-Allow-Origin header (so I should be able to set 2 different allowed values for these headers).
I'm not completely sure about the need of this separation in the real world, but a possible use case could be:

• I set Access-Control-Allow-Origin: *
• I restrict the domains that can see the timings setting Timing-Allow-Origin: https://my-specific-domain.com

The plugin configuration should have 2 fields to configure the Timing-Allow-Origin header, similarly to Access-Control-Allow-Origin: a field for accepting a single value "timing_allow_origin", and a field "timing_allow_origin_by_regex" to match different possible origins.

I think that the new header should be set in response by the plugin only if the user choose to configure it in the CORS plugin configuration, also given the fact that setting the value * (wildcard) may be considered insecure (see discussion w3c/resource-timing#222) and so we can not set it as default.

If you agree on the issue, I would like to try implementing this feature

[monkeyDluffy6017]

Hi @skimdz86, it seems that the Timing-Allow-Origin is different from Access-Control-Allow-Origin, why do we put them together? is it better to develop another plugin? Is Timing-Allow-Origin some kind of CORS?

[skimdz86]

Hi @monkeyDluffy6017 ,
the Timing-Allow-Origin header is defined in the Resource Timing API, but it seems strictly related to che CORS concepts in my opinion.

In fact, it is a sort of policy about the resource sharing, but in this case information we share is the timing information.
If we see here the header allows to return the timing properties on a resource under CORS policies.

Imagine that we have 2 domains, x.com and y.com.
From a page on x.com, we can allow the browser to show the resource timing information about a resource on y.com only if we can invoke URLs on y.com; so we have to set the CORS header first, access the y.com URL (with an XHR), and if we have also set the Timing-Allow-Origin the browser will be able to show the timing info of the resource on y.com.

What do you think?

[monkeyDluffy6017]

From a page on x.com, we can allow the browser to show the resource timing information about a resource on y.com only if we can invoke URLs on y.com; so we have to set the CORS header first, access the y.com URL (with an XHR), and if we have also set the Timing-Allow-Origin the browser will be able to show the timing info of the resource on y.com

OK, i get it. It's an enhancement feature. Could you explain it in the doc in more detail? Very good example

[skimdz86]

Ok, I'll update the documentation in the next few days, thanks

[Sn0rt]

Ok, I'll update the documentation in the next few days, thanks

do you have update for document ?

[skimdz86]

Ok, I'll update the documentation in the next few days, thanks

do you have update for document ?

Hi, actually I already updated the documentation in this commit bb98891

Please let me know if everything is ok!

Thank