Timing-Allow-Origin: What Analytics Sees in the Resource Timing API
The Timing-Allow-Origin header controls how much cross-origin timing detail a page can read. Here is what it means for privacy-first performance measurement.
The header nobody sets on purpose
Most teams meet Timing-Allow-Origin (TAO) only when a chart in their monitoring tool shows suspicious zeros. Cross-origin resources — fonts, images from a CDN, a third-party script — appear in the Resource Timing API, but their detailed sub-timings read back as 0 unless the responding server explicitly opts in. That opt-in is the TAO header, and understanding it is essential if you want honest performance data without reaching for invasive tracking.
The Resource Timing standard exposes a PerformanceResourceTiming entry for every fetch a page makes. For same-origin resources you get the full breakdown: DNS lookup, TCP connect, TLS negotiation, request start, and response timings. For cross-origin resources, the specification deliberately restricts what a document can read, because those fine-grained timings can leak information about a user's network state, cache contents, or the internal behaviour of another origin.
What gets zeroed out
Without a matching TAO header, the following attributes on a cross-origin PerformanceResourceTiming entry are clamped to zero: redirectStart, redirectEnd, domainLookupStart, domainLookupEnd, connectStart, connectEnd, secureConnectionStart, requestStart, responseStart, transferSize, encodedBodySize, and decodedBodySize. You still get startTime, duration, responseEnd, and the resource name and initiatorType. In practice that means you can tell a resource loaded and how long it took overall, but not where the time went or how many bytes crossed the wire.
The check is defined by the timing allow check algorithm in the Resource Timing specification. A resource passes if its response carries Timing-Allow-Origin with a value that either equals the origin of the requesting document or is the wildcard *.
Timing-Allow-Origin: https://example.com
# or, to allow any origin
Timing-Allow-Origin: *
Why this matters for privacy-first analytics
Monoid measures performance from the field — real navigations by real visitors — without cookies, without localStorage, and without fingerprinting. The Resource Timing and Navigation Timing APIs are the standards-based way to do that, and TAO is the mechanism the platform uses to keep cross-origin timing data confidential by default.
That default is a privacy feature, not an obstacle. The clamping exists precisely to stop a page from probing third-party origins for timing side channels. When we recommend that you set Timing-Allow-Origin on your own static assets and CDN, we are asking you to opt your own infrastructure into visibility for your own measurement — not to weaken anyone's protection.
Core Web Vitals reinforce the point. Largest Contentful Paint is frequently a cross-origin image or a web font. If those responses lack a TAO header, you can still observe the LCP element via the Largest Contentful Paint API, but you lose the request and response sub-timings that would tell you whether slow DNS, a cold TLS handshake, or a large transfer caused the delay. Adding the header to your asset origins turns an opaque number into an actionable one.
Setting it correctly
A few practical notes. First, transferSize being non-zero also lets you distinguish a cache hit (a small transfer size) from a network fetch, which is invaluable when diagnosing repeat-view performance. Second, if you serve fonts cross-origin, the CSS crossorigin attribute and CORS are a separate concern from TAO — you may need both. Third, prefer naming specific origins over * where you can, so that only the documents that legitimately need the data receive it.
On Cloudflare, you can add the header at the edge with a Transform Rule or in a Worker response, applying it to your asset paths. Because Monoid runs on the same edge, the timing data your visitors' browsers collect flows straight into aggregate, identifier-free metrics — no per-user profile required to know that your hero image spends 400ms in TLS.
The takeaway
Timing-Allow-Origin is a small header with outsized influence on how much you can learn from field performance data. The browser's default — zeroing cross-origin sub-timings — is a deliberate privacy safeguard, and it aligns neatly with how privacy-first analytics should work: measure aggregates from standard APIs, opt your own origins into detail explicitly, and never treat a user's network fingerprint as something to harvest. Set TAO on your assets, and your Web Vitals debugging gets sharper without any tracking at all.
Comments
Loading comments…