Clarify presence of requests that don't return a response #12
Comments
|
OK so my 0.02c having pondered about this for a few days: Requests that are made but fail should be included in the waterfall e.g. DNS, TCP connection, SSL/TLS negotiation failures. Requests that aren't made because they fail a browser security check e.g. Mixed Content, CSP failures should not be included. One thing I'm not clear on is how/where server pushed resources fit. We should get @bluesmoon and @nicjansma views on this as they use RT in their RUM product |
|
@andydavies I think that criteria for what should be included is great. There should probably also be a new field on the PerformanceResourceTiming interface to indicate that it is a failure (and possibly, some classification on why). |
|
@andydavies how does FF/IE surface failed requests? I assume some of the timing values are set to 0, or left undefined? |
|
This is FF 37: 404s. XMLHttpRequest: Duration is 0 for the next two, so it's rather misleading, especially if it took a while for the DNS failure. DNS failure: Timeout (though you have to wait for it to timeout): |
|
@bluesmoon 4XX/5XX are valid responses, I don't think we should treat them any different from 2XX. That's worth clarifying in the spec... And for connection failures, it seems like we should provide the timestamps for the parts of the connection establishment that we were able to observe. |
|
@igrigorik right... except that Chrome does not include 4xx/5xx. For connection failures, it becomes a little complicated with cross-origin requests. For example, in the blackhole.wpt.org case, we could say that duration was 60s, but without connect start/end, we wouldn't know where the failure was... I suppose TAO is the only way to get that, except that for a resource that times out, there is no TAO header. |
|
@bluesmoon yes, something we would need to fix in Chrome as well. Re, cross-origin: right, we would only surface duration for cross-origin, since we wouldn't know if TAO applies or not. For more detailed reports you have NEL. |
|
I wrote a few test for this - feel free to pick holes in them For the DNS and TCP failures FF sets responseEnd to the same as startTime (or fetchStart) so duration is 0 responseStart is after responseEnd for the 404 case in FF too. I really need to run these tests through WPT so they're in a clean test environment DNS Lookup Failure http://andydavies.github.io/rt-tests/dns-failure.html
TCP Connection Failure http://andydavies.github.io/rt-tests/tcp-connection-failure.html
HTTP 404 Failure http://andydavies.github.io/rt-tests/http-404-failure.html
|
|
@andydavies thanks, this is really helpful. On first pass, IE behavior seems to make sense.. Do you see any issues with it? |
|
I think IE's behaviour provides more clarity but I wonder if it can be improved on. In DNS case there's no value for domainLookupStart, in the TCP case there's no values for domanLookupStart or End, and no value for connectStart even though events happened. I re-ran the tests in WPT, and captured the relevant RT entires - Details > Custom Metrics The WPT waterfalls aren't quite right as they miss entries when DNS lookup or TCP connection fails (known area for improvement) DNS Failure IE11 - http://www.webpagetest.org/result/150304_3C_87597985c7a090fd9637b2e43d57afef/ TCP Connection Failure IE11 - http://www.webpagetest.org/result/150304_72_66f3513711180fc8fadd1fc1b1c84e57/ 404 Failure IE11 - http://www.webpagetest.org/result/150304_NE_bb2b93c502a6422cd130b061610fd477/ |
|
We should also look into how 301s & 302s are handled. @gui-poa has done some research on this. |
|
@bluesmoon As in when the included resource redirects and resource redirected to fails for some reason? |
|
well, there are probably several different cases we should look at. Failure being one of them. We also need to check if both 301 & 302 responses actually show up and is it different if the 301 state was cached by the browser. |
|
Makes sense. As a general rule: we should report for all successful substeps up to the point where the failure occurred. @gui-poa @bluesmoon redirects are a separate discussion, see: https://lists.w3.org/Archives/Public/public-web-perf/2015Feb/0059.html |
|
Andy, thanks for the testing and issues for IE. I'll get those issues on our list. It is possible that the DNS entries are accurate due to DNS caching depending on the testing methodology. Is the VM the browser runs on guaranteed to have a clean DNS cache? Also, these tests seem useful for standards validation if we come to agreement on behavior. |
|
@toddreifsteck Good point in the DNS front, I realised this after I posted the first set of numbers above, so I repeated the tests in WebPageTest which guarantees a clean DNS cache. The WPT tests show the same behaviour, this is the 404 case for example: [ |
- fetches that are blocked (CSP, CORS, etc) are omitted - fetches aborted due to network/other errors must be included - failed fetches must surface initialized attributes up to point of failure Closes #12.
|
First run at resolving this: 0eb0f69 -- thoughts, feedback? |
|
The update looks good however... thinking a bit more on this.. and noting the thought here to bubble on it for a day... Are there any privacy concerns for revealing network errors for fetches without a NEL registration or a Timing-Allow-Origin on file? |
|
@toddreifsteck thanks, good point. A couple of related discussions... /cc @annevk
TAO should apply, just as it does to any other
Does that sound reasonable? p.s. FWIW, I think NEL registrations are orthogonal to this discussion.. |
|
Historically we have not surfaced detailed error information even same-origin. This would be a change in security practices around that. |
|
@annevk fwiw, a quick recap of what we're proposing here...
So, the question is whether more detailed timing data is available for failed requests (2i) -- correct? It seems odd to me that we would provide detailed timing data for successful fetches, but then omit it for failed ones. If the concern is that someone could use said timing data on failed fetches to infer something about the user, or their network, then it seems that this same argument should apply to successful fetches... As in, I don't think we're exposing any additional surface area, as far as security/privacy is concerned, as long as we follow the TAO model. But, perhaps you disagree? |
|
I guess the difference is that you can figure out where the failure happens since you provide a more detailed breakdown in the comments above, such as DNS lookup time. |
|
That only happens if Timing-Allow-Origin is on, which is the intention. Note that With DNS or TCP failures, there will be no TAO header since there are no headers, so that information doesn't come back. See the full conversation for details of this. |
|
@bluesmoon I was discussing same-origin, not cross-origin. It is my understanding TAO implicitly allows same-origin and therefore effectively does not apply. |
|
yes that's right, but I don't believe this raises any new security concerns. If you're able to get timing information of a same-origin resource, then you already have control over the HTML of the page either because you own the page or because you have already XSSed it. For an attacker, it doesn't matter if the resource you're trying to time is successful or an error. Can you get DNS, TCP & SSL timing? Doesn't matter because you can get that from navtiming of the page itself, which you have control over. Are you trying to check if the user's ISP/client has a different DNS/TCP timeout than the main page? You can get that with a successful resource as well. For a site owner however, the benefits of having this are way more important -- I can report and alert on whether my site has problems. And there are no downsides. Every time we talk to site owners about resource timing, and once they understand it, they want to know if it will tell them which resources aren't responding, because very few people care about timing the resources that work correctly. |
|
@igrigorik should be fixed now go ahead and assign. I'll take a stab at first run. |
|
Great, thanks Wes! |
|
My security wording might be a little weak. You summed it up well with your fetch precondition examples in the Resources Included section.Should I be more descriptive here? It really comes down to 1) is the fetch same origin 2) and/or does it have TAO opt in. Finally, are we doing a fetchFailed flag? I have in my notes that the consensus was on a flag that was set to true by responseStart and responseEnd both being equal to zero. Should we add this to the spec? |
|
Hmm, I think this is heading in the right direction but I'm wondering if we should be more explicit? For example...
Also, we'll need carveouts for blocked fetches due to CORS, mixed content, etc. @plehegar @toddreifsteck wdyt? |
|
Discussed this at TPAC today with Todd & Yoav...
|
igrigorik
removed
privacy-tracker
|
@igrigorik #90 addresses your comment about "We need to address 'status code' as part of this work as well; developers need a way to distinguish successful requests from 4xx/5xx and errors.", and its been in limbo since Jan 2017. Can we get expert opinions on that one please? |
|
@mvadu I think we agreed in this thread that we're willing to provide additional information about failures, but we deferred the "how" of that into L3 work stream and we've been heads down on L2 issues. Hence slow progress.. not because we don't want to, but lack of bandwidth. Let's continue in #90. |
|
I thought it'd be interesting to look where browser support is today, for posterity (not to re-open this discussion): Key:
DNS Failure (cross-origin)URL: https://thisdomaindoesnotexistNNNNNNN.com (should be cross-origin)
No ResourceTiming entry: Chrome 71, Safari 12 Bugs:
TCP Failure (same domain, different port, cross-origin)
No ResourceTiming entry: Chrome 71, Safari 12 Bugs:
TCP Failure (cross-origin)
No ResourceTiming entry: Chrome 71, Safari 12 Bugs:
SSL Failure (cross-origin)
No ResourceTiming entry: Chrome 71, Safari 12 Bugs:
4xx Result Code (same-origin)
No ResourceTiming entry: Chrome 71, Safari 12 Notes: DNS, TCP, SSL can be 0 duration because of connection-reuse Bugs:
4xx Result Code (cross-origin)
No ResourceTiming entry: Chrome 71, Safari 12 Bugs: 5xx Result Code (same-origin)
No ResourceTiming entry: Chrome 71, Safari 12 Notes: DNS, TCP, SSL can be 0 duration because of connection-reuse Bugs:
5xx Result Code (cross-origin)
No ResourceTiming entry: Chrome 71, Safari 12 Bugs: Final WordsTest cases are here: https://nicj.net/dev/resourcetiming/error-resources.html I didn't test some of the harder cases like DNS/TCP/SSL failure for same-origin since that'd require some sort of intermittent DNS/TCP/SSL on the same server. I also didn't verify or check these tests against Web Platform Tests. Filed: |
|
It's been almost 2.5 years since the last checkup, and I was curious about the progress. Here's where we are today (again, not to re-open this discussion): Key:
(I've removed Edge that was included in the previous check, now that it's Chromium-based) DNS Failure (cross-origin)URL: https://thisdomaindoesnotexistNNNNNNN.com (should be cross-origin)
No ResourceTiming entry: Chrome <= 78, Safari (tested through 13) Bugs:
TCP Failure (same domain, different port, cross-origin)
No ResourceTiming entry: Chrome <= 78, Safari (tested through 13) Bugs:
TCP Failure (cross-origin)
No ResourceTiming entry: Chrome <= 78, Safari (tested through 13) Bugs:
SSL Failure (cross-origin)
No ResourceTiming entry: Chrome <= 78, Safari (tested through 13) Bugs:
4xx Result Code (same-origin)
No ResourceTiming entry: Chrome <= 78, Safari <= 12 Notes: DNS, TCP, SSL can be Bugs:
4xx Result Code (cross-origin)
No ResourceTiming entry: Chrome <= 78, Safari <= 12 Bugs:
5xx Result Code (same-origin)
No ResourceTiming entry: Chrome <= 78, Safari <= 12 Notes: DNS, TCP, SSL can be Bugs:
5xx Result Code (cross-origin)
No ResourceTiming entry: Chrome <= 78, Safari <= 12 Bugs:
Final WordsTest cases are here: https://nicj.net/dev/resourcetiming/error-resources.html I didn't test some of the harder cases like DNS/TCP/SSL failure for same-origin since that'd require some sort of intermittent DNS/TCP/SSL on the same server. I also didn't verify or check these tests against Web Platform Tests. Filed bugs: |
|
It's probably worth extending the tests to check how Resource Hints impacts behaviour, for example, in Chrome, secureConnectionStart === 0 when origin is preconnected to |
|
Great idea Andy, I can check on that |
|
Is there a way to know if the request failed? Are there any fields that can indicate that? |
|
Can a timeline be given like DevTools Timing in the case of a resource request failure. At present, the requestStart and responseStart obtained by PerformanceResourceTiming are both zero
|
https://lists.w3.org/Archives/Public/public-web-perf/2015Feb/0065.html
The text was updated successfully, but these errors were encountered: