-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: support for the Timing-Allow-Origin header in CORS plugin #9307
Comments
Hi @skimdz86, it seems that the Timing-Allow-Origin is different from Access-Control-Allow-Origin, why do we put them together? is it better to develop another plugin? Is Timing-Allow-Origin some kind of CORS? |
Hi @monkeyDluffy6017 , In fact, it is a sort of policy about the resource sharing, but in this case information we share is the timing information. Imagine that we have 2 domains, x.com and y.com. What do you think? |
OK, i get it. It's an enhancement feature. Could you explain it in the doc in more detail? Very good example |
Ok, I'll update the documentation in the next few days, thanks |
do you have update for document ? |
Hi, actually I already updated the documentation in this commit bb98891 Please let me know if everything is ok! Thank |
Description
When using the CORS plugin, I'd like to be able to set also the Timing-Allow-Origin header (https://www.w3.org/TR/resource-timing/#sec-timing-allow-origin).
The plugin configuration for this header should be separate from the one dedicated to the Access-Control-Allow-Origin header (so I should be able to set 2 different allowed values for these headers).
I'm not completely sure about the need of this separation in the real world, but a possible use case could be:
The plugin configuration should have 2 fields to configure the Timing-Allow-Origin header, similarly to Access-Control-Allow-Origin: a field for accepting a single value "timing_allow_origin", and a field "timing_allow_origin_by_regex" to match different possible origins.
I think that the new header should be set in response by the plugin only if the user choose to configure it in the CORS plugin configuration, also given the fact that setting the value * (wildcard) may be considered insecure (see discussion w3c/resource-timing#222) and so we can not set it as default.
If you agree on the issue, I would like to try implementing this feature
The text was updated successfully, but these errors were encountered: