Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Behavior for performance.getEntries() #223

Open
annevk opened this issue Mar 29, 2023 · 9 comments
Open

Behavior for performance.getEntries() #223

annevk opened this issue Mar 29, 2023 · 9 comments

Comments

@annevk
Copy link
Collaborator

annevk commented Mar 29, 2023

It seems that with

performance.getEntries().find(({entryType})=>entryType==='navigation').name

Chrome at least is more selective about what it ends up stripping from the URL.

It seems to me that should be consistent with document.URL.
@othermaciej
Copy link

Is it even intended spec behavior that Navigation Timing is a loophole around directive stripping from the URL, or should it be filed as a Chromium bug?

@annevk
Copy link
Collaborator Author

annevk commented Mar 29, 2023

That's a good question I hadn't looked into yet.

Per https://w3c.github.io/navigation-timing/#marking-navigation-timing it's a straight up bug, but it's probably the responsibility of this effort to ensure test coverage which this issue can track.

Hopefully @bokand or @noamr is willing to file the bug but I can also do it if that would help.

@noamr
Copy link

noamr commented Mar 29, 2023
edited
Loading

It's a known Chrome bug that I totally forgot about when I went on parental leave :(
https://bugs.chromium.org/p/chromium/issues/detail?id=1096983

See my comment 14:
the current behavior is not according to spec:
https://wicg.github.io/scroll-to-text-fragment/#processing-the-fragment-directive
"The fragment directive is processed and removed from the fragment whenever the UA sets the URL on a Document."

The navigation timing name should be the same as the document URL.
I will follow up from the Chrome side.

@bokand
Copy link
Collaborator

bokand commented Mar 29, 2023

Yeah, I think, per-spec, the fragment directive shouldn't be exposed in navigation timing; that's a Chrome bug.

But I've heard in a couple of places that developers are using this (e.g. the chrome bug, twitter thread). It seems some found it useful to be able to add info to a URL that's guaranteed not to interfere with the page. Perhaps we could add an API to enable this use case in a structured way? See also #160 (comment)

@noamr
Copy link

noamr commented Mar 29, 2023

Yeah, I think, per-spec, the fragment directive shouldn't be exposed in navigation timing; that's a Chrome bug.

But I've heard in a couple of places that developers are using this (e.g. the chrome bug, twitter thread). It seems some found it useful to be able to add info to a URL that's guaranteed not to interfere with the page. Perhaps we could add an API to enable this use case in a structured way? See also #160 (comment)

Not sure this is great privacy-wise. I don't expect pages I navigate to via some text search to be able to tell what search term I used etc. The structured API to do this is perhaps standard query variables?

@bokand
Copy link
Collaborator

bokand commented Mar 29, 2023

Not sure this is great privacy-wise.

The nice thing about providing a structured API is that we could, e.g., prevent exposing content for a sensitive directive like text, perhaps depending on conditions, cross/same origin, etc.. I believe the use case is to use a custom directive which would just pass through the content - I've asked on the Chrome bug for more information about usage.

(To be clear, the content in the text directive already exists on the page and a page could guess it, with some fuzziness, based on the scroll position. But point taken)

The structured API to do this is perhaps standard query variables?

Speculating but I think the fact that this will cause a new request, and include the parameters in the request, is probably the reason people were using the fragment. You'd also be relying on the server not choking on the unexpected query params.

@noamr
Copy link

noamr commented Mar 29, 2023

In any case, to be clear, making this web-exposable would be a new conversation and performance.getEntries() should definitely not be the way to get this information.

@noamr
Copy link

noamr commented Mar 29, 2023

See #128 for conversation about exposing text fragment to the page, with a lot of privacy-related conversation on the mozilla standards position. @annevk you were actually quite active on that one seems like :)

Apparently some existing content relies on the performance.getEntries() bug as a "feature" so the plot is a bit thicker.

@annevk
Copy link
Collaborator Author

annevk commented Mar 30, 2023

The API questions should probably be discussed in their relevant issues. Resolving #217 might help with some of them as perhaps the Navigation API should be an entry point. What mainly concerns me about reading the fragment directive is consistency. It seems problematic that access to identifiers is conditional and might change in the future (e.g., if we decide another directive also needs to be hidden from script).

@zcorpan zcorpan mentioned this issue Jun 22, 2023
Closed
@eligrey eligrey mentioned this issue Oct 2, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@noamr @othermaciej @annevk @bokand