I am reading this post about resource timing API and I can not understand the reason behind the following restriction:
Resources fetched from a third-party must provide an additional HTTP header (Timing-Allow-Origin: *) to allow the site to gather detailed network timing data. If the header is absent, the only available data is the total duration of the request.
While I can easily understand the reason behind blocking requests without Access-Control-Allow-Origin header, I am struggling to understand why should not I get information about timing without Timing-Allow-Origin header.
After reading W3C document about resource timing API I found that they give an explanation for this in privacy & security section
Statistical fingerprinting is a privacy concern where a malicious web site may determine whether a user has visited a third-party web site by measuring the timing of cache hits and misses of resources in the third-party web site. Though the PerformanceResourceTiming interface gives timing information for resources in a document, the cross-origin restrictions prevent making this privacy concern any worse than it is today using the load event on resources to measure timing to determine cache hits and misses.
Basically they want to prevent malicious people from checking whether a user accessed some page previously.