@@ -646,9 +646,41 @@ <h3>Extensions to the <code>Performance</code> Interface</h3>
646646</ li >
647647</ ol >
648648</ section >
649- < section id ="sec-cross-origin-resources ">
649+ < section id ="sec-timing-allow-origin ">
650+ < h4 > < code > Timing-Allow-Origin</ code > Response Header</ h4 >
651+ < p class ="note "> This section is non-normative.</ p >
652+ < p > The < dfn > Timing-Allow-Origin</ dfn > HTTP response header field
653+ can be used to communicate a policy indicating origin(s) that are
654+ allowed to see values of attributes that would have been zero due
655+ to the cross-origin restrictions. The header's value is represented
656+ by the following ABNF [[RFC5234]] (using < a data-cite =
657+ "RFC7230#section-7 "> List Extension</ a > , [[RFC7230]]):</ p >
658+ < pre class ="abnf ">
659+ Timing-Allow-Origin = 1#( < a data-cite =
660+ "FETCH#origin-header "> origin-or-null</ a > / < a data-cite =
661+ "FETCH#http-new-header-syntax "> wildcard</ a > )
662+ </ pre >
663+ < p > The sender MAY generate multiple < a > Timing-Allow-Origin</ a >
664+ header fields. The recipient MAY combine multiple
665+ < a > Timing-Allow-Origin</ a > header fields by appending each
666+ subsequent field value to the combined field value in order,
667+ separated by a comma.</ p >
668+ < p > The < dfn > timing allow check</ dfn > algorithm, which checks
669+ whether a resource's timing information can be shared with the
670+ < a > current document</ a > , is as follows:</ p >
671+ < ol >
672+ < li > Let < var > response</ var > be the resource's < a data-cite =
673+ "FETCH#concept-response "> Response</ a > .</ li >
674+ < li > Return < var > response</ var > 's < a data-cite =
675+ "FETCH#concept-response-timing-allow-passed ">
676+ timing allow passed flag</ a > .</ li >
677+ </ ol >
678+ < p class =note > The Timing-Allow-Origin header may arrive as part of a cached
679+ response. In case of cache revalidation, according to
680+ < a href ="https://tools.ietf.org/html/rfc7234#section-4.3.4 "> RFC 7234</ a > ,
681+ the header's value may come from the revalidation response, or if not present
682+ there, from the original cached resource.</ p >
650683 < h3 > Cross-origin Resources</ h3 >
651- < p > This section is non-normative.</ p >
652684 < p data-dfn-for ="PerformanceResourceTiming "> As detailed in [=fetch=],
653685 cross-origin resources are included as < a > PerformanceResourceTiming</ a > objects in the
654686 < a data-cite ="PERFORMANCE-TIMELINE-2#performance-timeline "> Performance
@@ -669,7 +701,6 @@ <h3>Cross-origin Resources</h3>
669701 < a > cross-origin</ a > restrictions previously specified in this
670702 section.</ p >
671703</ section >
672-
673704< section id ="attribute-descriptions ">
674705 < h3 > Resource Timing Attributes</ h3 >
675706 < p > This section is non-normative.</ p >
0 commit comments