Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Evaluate current parsing error strategy #42

Closed
cvazac opened this issue Nov 20, 2017 · 5 comments · Fixed by #87
Closed

Evaluate current parsing error strategy #42

cvazac opened this issue Nov 20, 2017 · 5 comments · Fixed by #87
Labels
definition
Milestone
Level 1

Comments

@cvazac
Copy link
Contributor

cvazac commented Nov 20, 2017

During code review here, Mike West said:

Right now, you're setting duration_ to zero if someone passes in duration=whatever. Did you consider something a little more draconian? Reject the header entirely, perhaps, with an appropriate console warning for non-numeric values?

I responded:

At present, this header resolves to a duration of 0.0:
name; duration=foo; duration=123

I think that holds up, spec-wise, so my preference would be to leave as-is.
-first specified parameter "wins" (others are ignored)
(https://w3c.github.io/server-timing/#the-server-timing-header-field)
-failure to parse a duration as a double should result in 0.0.
https://w3c.github.io/server-timing/#-dfn-server-timing-header-parsing-algorithm-dfn-

It is worth having a discussion about how draconian we should be with regard to parse errors.
@yoavweiss
Copy link
Contributor

@mikewest any security-related reasons we want to change paring to be more draconian?

@yoavweiss yoavweiss added this to the Level 1 milestone Oct 21, 2018
@toddreifsteck
Copy link
Member

Rough summary of discussion at TPAC 2018:

  • @cvazac will find data on whether Chrome is parsing data that is not "per spec" in the wild. If it is, we can't break and will need to update spec and file bug on Firefox to fix to new spec update.
  • If it isn't parsing data that breaks spec, we should file bugs on Safari/Chrome to update this behavior to pass the tests

@ddragana
Copy link

Rough summary of discussion at TPAC 2018:

* @cvazac will find data on whether Chrome is parsing data that is not "per spec" in the wild. If it is, we can't break and will need to update spec and file bug on Firefox to fix to new spec update.

* If it isn't parsing data that breaks spec, we should file bugs on Safari/Chrome to update this behavior to pass the tests

The decision is fine by me. (We will update Firefox if needed)

@cvazac
Copy link
Contributor Author

cvazac commented Oct 30, 2018

Current plan as discussed with @yoavweiss:
I'm going to use BQ on HA to identify server-timing header values that we currently parse, but in the future we might want to not allow.

Example:

Server-Timing: metric==   ""foo;dur=123.4

Firefox/spec say the duration should be 123.4. Chrome/Safari stop their processing when it finds the extra chars before the ;, leaving the duration as 0.

@noamr
Copy link
Contributor

noamr commented Feb 27, 2022

See #87
This is all covered in WPT

@noamr noamr mentioned this issue Apr 11, 2022
Merged
@noamr noamr closed this as completed in #87 Apr 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
definition
Projects
None yet
Milestone
Level 1
Development

Successfully merging a pull request may close this issue.

Add explicit parsing rules for FETCH integration w3c/server-timing
5 participants
@noamr @yoavweiss @toddreifsteck @cvazac @ddragana