skimdz86 commented on issue #9307: URL: https://github.com/apache/apisix/issues/9307#issuecomment-1563034839
Hi @monkeyDluffy6017 , the Timing-Allow-Origin header is defined in the Resource Timing API, but it seems strictly related to che CORS concepts in my opinion. In fact, it is a sort of policy about the resource sharing, but in this case information we share is the timing information. If we see [here](https://developer.mozilla.org/en-US/docs/Web/API/Performance_API/Resource_timing#cross-origin_timing_information) the header allows to return the timing properties on a resource under CORS policies. Imagine that we have 2 domains, x.com and y.com. From a page on x.com, we can allow the browser to show the resource timing information about a resource on y.com only if we can invoke URLs on y.com; so we have to set the CORS header first, access the y.com URL (with an XHR), and if we have also set the Timing-Allow-Origin the browser will be able to show the timing info of the resource on y.com. What do you think? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
