Use internal response for Server-Timing processing

noamr · annevk · web-flow · commit afacb1f824e1 · 2023-01-03T09:33:44.000+01:00
The Server-Timing header data is protected by the Timing-Allow-Origin header, so there's no need to safelist it through CORS, unless you wanted direct access to the raw header. Tests: web-platform-tests/wpt#37714. Closes #1511. Co-authored-by: Anne van Kesteren <annevk@annevk.nl>
diff --git a/fetch.bs b/fetch.bs
@@ -4643,7 +4643,12 @@ steps:
   <a for="fetch params">request</a>'s <a for=request>client</a> is a <a>secure context</a>, then set
   <var>timingInfo</var>'s <a for="fetch timing info">server-timing headers</a> to the
   result of <a for="header list">getting, decoding, and splitting</a> `<code>Server-Timing</code>`
-  from <var>response</var>'s <a for=response>header list</a>.
+  from <var>response</var>'s <a for="filtered response">internal response</a>'s
+  <a for=response>header list</a>.
+
+  <p class=note>Using _response_'s <a for="filtered response">internal response</a> is safe as
+  exposing `<code>Server-Timing</code>` header data is guarded through the
+  `<code>Timing-Allow-Origin</code>` header.
 
   <p>The user agent may decide to expose `<code>Server-Timing</code>` headers to non-secure contexts
   requests as well.
