The Resource Timing API is supported in Chrome, Opera, and IE10+. I knew that each of these browsers had individually added support for Resource Timing, but I had never seen them listed together. These browsers represent a significant percentage of overall Web traffic so we can get some good stats with just these three.
Facebook, Google, and Disqus worked together to add the Timing-Allow-Origin response header. This is required to measure the timing of resource from a different origin (for privacy reasons). Some 3rd party content providers might be hesitant to allow website owners to measure 3rd party performance. It’s great that these companies took the first step.
I wanted to use the HTTP Archive data to see how many resources have the Timing-Allow-Origin response header and where they’re coming from.
The total number of requests for the Nov 15 2013 crawl is 27,889,759. Out of those, 342,957 have the Timing-Allow-Origin response header - that’s 1.2%. Not bad for early days.
SELECT count(*)
FROM [httparchive:runs.2013_11_15_requests]
total requsts = 27889759
SELECT count(*)
FROM [httparchive:runs.2013_11_15_requests]
WHERE lower(respOtherHeaders) contains "timing-allow-origin"
Facebook and Google are the most popular domains serving these resources, but other content providers like Spil Games and Odnoklassniki.ru are also showing support:
SELECT domain(url) as domain, count(*) as num
FROM [httparchive:runs.2013_11_15_requests]
WHERE lower(respOtherHeaders) contains "timing-allow-origin"
GROUP BY domain ORDER BY num desc
Facebook and Google have the most popular resources being served with this header:
SELECT url, count(*) as num
FROM [httparchive:runs.2013_11_15_requests]
WHERE lower(respOtherHeaders) contains "timing-allow-origin"
GROUP BY url ORDER BY num desc
I’d love to see Google Analytics, Twitter, and Doubleclick add this response header so website owners can better understand what’s having an impact on their page’s load times.
Awesome. Hope to see this more popular widget / library providers on this list soon!
Quick note: It’ll be interesting to rerun this list on the Dec 15th crawl. Back in November we were still in early stages of rolling out RT support across Google Fonts / Google+ / Google Libraries (CDN). I expect those numbers to be much higher in the next run!
For those having Timing-Allow-Origin header, no one is setting it to anything other than “*”
SELECT url, respOtherHeaders, count(*) as num
FROM [httparchive:runs.latest_requests]
WHERE
lower(respOtherHeaders) contains "timing-allow-origin" and
not lower(respOtherHeaders) contains "timing-allow-origin = *"
GROUP BY url, respOtherHeaders ORDER BY num desc
There are only a few occurrences, mainly garbage from qpic.cn for both desktop and mobile.
Love to see this periodically updated with the latest data.
I put together a query to generate a timeseries:
#standardSQL
SELECT
REPLACE(SUBSTR(_TABLE_SUFFIX, 0, 10), '_', '-') AS date,
SUM(IF(LOWER(respOtherHeaders) LIKE "%timing-allow-origin%", 1, 0)) / COUNT(0) AS pctAllowTiming
FROM
`httparchive.summary_requests.*`
WHERE
ENDS_WITH(_TABLE_SUFFIX, 'desktop')
GROUP BY
date
ORDER BY
date
Run it on BigQuery(warning: this query consumes 431 GB, about half of the free monthly quota)
Revisiting this thread. I’m curious not just how many response headers include TAO but specifically whether resources are Resource Timing enabled, meaning that it is either a same-origin resource or its TAO value is permissive (* or the same origin).
Here’s an example of a query to get the latest data for desktop:
CREATE TEMP FUNCTION isTimingAllowed(origin STRING, url STRING, payload STRING)
RETURNS BOOLEAN
LANGUAGE js AS """
// Same-origin is always allowed.
if (url.startsWith(origin)) return true;
try {
var $ = JSON.parse(payload);
var TAO = $.response.headers.filter(({name}) => name.toLowerCase() === 'timing-allow-origin');
return TAO && ['*', origin].includes(TAO.value);
} catch (e) {
return false;
}
""";
SELECT
SUM(IF(isTimingAllowed(RTRIM(page, '/'), url, payload), 1, 0)) / COUNT(0) AS pct_timing_allowed
FROM
`httparchive.latest.requests_desktop`
I needed to use a UDF to parse the JSON and determine whether the TAO value was permissive. The alternative would have been regex parsing the respOtherHeaders which is ok and cheaper to query, but I like the structured schema of the requests table JSON payload.
Here’s a graph of the data for all dates and desktop/mobile (significantly more expensive to query):
The latest stats put Resource Timing support at about 40% of all resources.
There are some bizarre downward trends, which I can only guess are decays due to the staleness of the sample URLs. Each big jump you see is when we updated (and increased) our sample URLs.
@rviscomi - What will be useful here is to report top third parties which are missing TAO ? I guess there will be some big ones in this list (e.g. Pinterest) and publishing the list of top third parties missing TAO can be a good addition for third parties chapter in Web Almanac 2020.