CORS : Cross-Origin Resource Sharing¶
Definition and RUM metrics calculation limitations with CORS¶
CORS is a mechanism that allows a server to indicate any other origins than its own from which a browser should permit loading of resources.
As explained in details in the article "What is the impact of CORS on performance monitoring", CORS significantly influences how W3C Time Navigation API metrics are being reported.
When requesting cross-origin resources, from all metrics shown on the figure above, only the following attributes are being correctly reported:
Furthermore, cross-origin resources that are redirected will have a
startTime that only reflects the final resource —
startTime will equal
fetchStart instead of
redirectStart. This means the time of any redirect(s) will be hidden from the resource timing.
How does Kadiska take CORS into account?¶
As stated above, despite the limitations that CORS introduces, we are still able to calculate the whole duration of a resource fetch.
Concretely, this means that you can easily identify resources that significantly impact overall application performance.
The example below illustrates it. On the picture, you see that there is an image that toke 1,6 seconds to be fetched by the browser. Even if we are not able to report detailed metrics, the whole duration of the fetch transaction is reported and can be used to assess resources related performances.
Identification of CORS transactions¶
The percentage of transactions related to CORS resources for which no performance metric could be reported due to the absence of TAO (Time Allow Origin) header in the HTTP(S) response is provided in a the metric called
In the example above, the
Resources time is provided for all types of resource:
- All resources for which performance metrics are collected represent an average resource time (average time to fetch all resources) of 1.6s
- All resources for which no performance metrics can be collected (mainly due to CORS with TAO limitation) represent an average resource time of 9.9ms. In addition, the percentage of these resources is also provided (89% in this specific case).
How do you retrieve W3C Time Navigation metrics for CORS requests?¶
If you control the domains you are fetching other resources from, you can bypass limitations mentioned previously by sending a
Timing-Allow-Origin (TAO) header in HTTP responses, informing the browser that it is allowed to process performance metrics.
If you are serving any of your content from another domain, i.e. from a CDN, it is strongly recommended that you set this header for those responses.