Timing-Allow-Origin
Response header CORS

Overview

Timing-Allow-Origin (TAO) is a response header that grants which origins' scripts may read the detailed timing (DNS, TCP, TTFB, transfer size, and more) that the Resource Timing API exposes for a cross-origin resource. Without it, sensitive cross-origin timing values are masked to zero.

Details

The browser's PerformanceResourceTiming provides per-resource details (domainLookupStart/End, connectStart/End, requestStart, responseStart/End, etc.) plus transferSize and encodedBodySize. For cross-origin resources these are zeroed by default to prevent information leaks (such as inferring cache state or internal response times).

When the resource server allows a specific origin (or *) via Timing-Allow-Origin, scripts on that origin can read the real timings unmasked. This is essential for RUM (Real User Monitoring) and performance tooling to accurately measure the load performance of CDN and third-party assets.

The value is a list of exact origin strings (scheme, host, port) or the wildcard *. Its syntax resembles CORS's Access-Control-Allow-Origin but its purpose differs: ACAO governs response body access, whereas TAO governs exposure of timing values.

Syntax

Timing-Allow-Origin: <origin>[, <origin>]* | *

e.g. Timing-Allow-Origin: https://app.example.com

Directives / values

*Allow any origin to read this resource's detailed timing.
<origin>A specific origin (scheme+host+port) allowed to read detailed timing; comma-separate several.

Notes

Related headers

Related status codes

Specification