The Timing-Allow-Origin(TAO) header is a response-type header. It is used to indicate all the origins that are permitted to read the values of attributes retrieved from the Resource Timing API’s features. The default values assigned to these attributes is “zero” as a consequence of cross-origin restrictions.
The TAO header can be a wildcard (*) that allows all the origins to access the information related to timing simultaneously. However it is better to specify only a few origins, this can help to minimize the hazardous attacks that can leak personal information of various users leading to profound consequences.
Timing-Allow-Origin: <origin> [, <origin>]*
Directives: This header accepts two directive as mentioned above and described below:
- * : This directive is a wildcard character that gives permission to any origin to access the timing resources.
- <origin>: This directive indicates a single URI (Uniform Resource Identifier) or a set of URIs separated by commas, which can access the timing resources.
- When all the resources are allowed to access various timing resources with the help of wildcard i.e.”*”:
- To allow only “https://www.geeksforgeeks.org” to access the timing resources:
Supported Browsers: The browsers are compatible with HTTP Timing-Allow-Origin header are listed below:
- Google Chrome
- HTTP headers | Access-Control-Expose-Headers
- HTTP headers | Access-Control-Allow-Headers.
- HTTP headers | Access-Control-Request-Headers
- HTTP headers | Location
- HTTP headers | User-Agent
- HTTP headers | Link
- HTTP headers | Save-Data
- HTTP headers | Content-Type
- HTTP headers | X-Forwarded-Proto
- HTTP headers | X-XSS-Protection
- HTTP headers | X-Frame-Options
- HTTP headers | Last-Modified
- HTTP headers | Date
- HTTP headers | Cookie
- HTTP headers | Strict-Transport-Security
- HTTP headers | Expect
- HTTP headers | Accept-Encoding
- HTTP headers | Proxy-Authenticate
- HTTP headers | Content-Range
- HTTP headers | Content-Encoding