How many and which resources have Timing-Allow-Origin for Resource Timing?

Ilya’s post Measuring network performance with Resource Timing API had two pieces of information that surprised me:

  • The Resource Timing API is supported in Chrome, Opera, and IE10+. I knew that each of these browsers had individually added support for Resource Timing, but I had never seen them listed together. These browsers represent a significant percentage of overall Web traffic so we can get some good stats with just these three.
  • Facebook, Google, and Disqus worked together to add the Timing-Allow-Origin response header. This is required to measure the timing of resource from a different origin (for privacy reasons). Some 3rd party content providers might be hesitant to allow website owners to measure 3rd party performance. It’s great that these companies took the first step.

I wanted to use the HTTP Archive data to see how many resources have the Timing-Allow-Origin response header and where they’re coming from.

The total number of requests for the Nov 15 2013 crawl is 27,889,759. Out of those, 342,957 have the Timing-Allow-Origin response header - that’s 1.2%. Not bad for early days.

SELECT count(*)
FROM [httparchive:runs.2013_11_15_requests]
total requsts = 27889759

SELECT count(*)
FROM [httparchive:runs.2013_11_15_requests]
WHERE lower(respOtherHeaders) contains "timing-allow-origin"

Facebook and Google are the most popular domains serving these resources, but other content providers like Spil Games and are also showing support:

SELECT domain(url) as domain, count(*) as num
FROM [httparchive:runs.2013_11_15_requests]
WHERE lower(respOtherHeaders) contains "timing-allow-origin"
GROUP BY domain ORDER BY num desc

Facebook and Google have the most popular resources being served with this header:

SELECT url, count(*) as num
FROM [httparchive:runs.2013_11_15_requests]
WHERE lower(respOtherHeaders) contains "timing-allow-origin"
GROUP BY url ORDER BY num desc

I’d love to see Google Analytics, Twitter, and Doubleclick add this response header so website owners can better understand what’s having an impact on their page’s load times.

1 Like

Happy to see this. mPulse also includes the timing-allow-origin response on boomerang requests.

Awesome. Hope to see this more popular widget / library providers on this list soon!

Quick note: It’ll be interesting to rerun this list on the Dec 15th crawl. Back in November we were still in early stages of rolling out RT support across Google Fonts / Google+ / Google Libraries (CDN). I expect those numbers to be much higher in the next run!

For those having Timing-Allow-Origin header, no one is setting it to anything other than “*”

SELECT url, respOtherHeaders, count(*) as num
FROM [httparchive:runs.latest_requests]
  lower(respOtherHeaders) contains "timing-allow-origin" and
  not lower(respOtherHeaders) contains "timing-allow-origin = *"
GROUP BY url, respOtherHeaders ORDER BY num desc

There are only a few occurrences, mainly garbage from for both desktop and mobile.

Update May 15 2014: In the May 15 crawl there were 1,392,034 responses with Timing-Allow-Origin out of 27655500 total requests (5%). A nice increase!

Update - In the Jan 01 2015 crawl, there were 44,981,766 requests with 2,902,254 set with “timing-allow-origin” - 6.5%

February 15 crawl: 6,942,158 out of 50,088,983 requests (13.86%)

Love to see this periodically updated with the latest data.

I put together a query to generate a timeseries:

  REPLACE(SUBSTR(_TABLE_SUFFIX, 0, 10), '_', '-') AS date,
  SUM(IF(LOWER(respOtherHeaders) LIKE "%timing-allow-origin%", 1, 0)) / COUNT(0) AS pctAllowTiming

Run it on BigQuery (warning: this query consumes 431 GB, about half of the free monthly quota)

The growth is slow but steady.


Explore the raw results

If there’s interest, I could put together a report on the site of popular HTTP headers and track adoption across desktop/mobile.

1 Like

Revisiting this thread. I’m curious not just how many response headers include TAO but specifically whether resources are Resource Timing enabled, meaning that it is either a same-origin resource or its TAO value is permissive (* or the same origin).

Here’s an example of a query to get the latest data for desktop:

CREATE TEMP FUNCTION isTimingAllowed(origin STRING, url STRING, payload STRING)
  // Same-origin is always allowed.
  if (url.startsWith(origin)) return true;
  try {
    var $ = JSON.parse(payload);
    var TAO = $.response.headers.filter(({name}) => name.toLowerCase() === 'timing-allow-origin');
    return TAO && ['*', origin].includes(TAO.value);
  } catch (e) {
    return false;

  SUM(IF(isTimingAllowed(RTRIM(page, '/'), url, payload), 1, 0)) / COUNT(0) AS pct_timing_allowed

I needed to use a UDF to parse the JSON and determine whether the TAO value was permissive. The alternative would have been regex parsing the respOtherHeaders which is ok and cheaper to query, but I like the structured schema of the requests table JSON payload.

Here’s a graph of the data for all dates and desktop/mobile (significantly more expensive to query):


The latest stats put Resource Timing support at about 40% of all resources.

There are some bizarre downward trends, which I can only guess are decays due to the staleness of the sample URLs. Each big jump you see is when we updated (and increased) our sample URLs.

1 Like

@rviscomi - What will be useful here is to report top third parties which are missing TAO ? I guess there will be some big ones in this list (e.g. Pinterest) and publishing the list of top third parties missing TAO can be a good addition for third parties chapter in Web Almanac 2020.

1 Like

Yes, thats a good suggestion @rockeynebhwani! Could you note that in the 3P chapter issue and/or doc?

1 Like