Revisiting this thread. I’m curious not just how many response headers include TAO but specifically whether resources are Resource Timing enabled, meaning that it is either a same-origin resource or its TAO value is permissive (* or the same origin).
Here’s an example of a query to get the latest data for desktop:
CREATE TEMP FUNCTION isTimingAllowed(origin STRING, url STRING, payload STRING)
RETURNS BOOLEAN
LANGUAGE js AS """
// Same-origin is always allowed.
if (url.startsWith(origin)) return true;
try {
var $ = JSON.parse(payload);
var TAO = $.response.headers.filter(({name}) => name.toLowerCase() === 'timing-allow-origin');
return TAO && ['*', origin].includes(TAO.value);
} catch (e) {
return false;
}
""";
SELECT
SUM(IF(isTimingAllowed(RTRIM(page, '/'), url, payload), 1, 0)) / COUNT(0) AS pct_timing_allowed
FROM
`httparchive.latest.requests_desktop`
I needed to use a UDF to parse the JSON and determine whether the TAO value was permissive. The alternative would have been regex parsing the respOtherHeaders which is ok and cheaper to query, but I like the structured schema of the requests table JSON payload.
Here’s a graph of the data for all dates and desktop/mobile (significantly more expensive to query):
The latest stats put Resource Timing support at about 40% of all resources.
There are some bizarre downward trends, which I can only guess are decays due to the staleness of the sample URLs. Each big jump you see is when we updated (and increased) our sample URLs.