Clarify NEL's purpose, and a question

[Synchro]

I found the docs for NEL led me in entirely the wrong direction, expecting it to be essentially CSP-style reporting for network problems. for example, if my web page loads a script from some other location, but its cert has expired, or it 404s, as the web page author I want to know about that. It's much less interesting (to me) that the owner of the resource receives the report – after all, they will already see nearly all of these events in their server-side logs anyway, whereas this would likely be the only way that I can see client-side errors.

The initial problem of getting the NEL header in the first place adds confusion, and I agree with the sentiment behind #173. I have direct control over the headers and endpoints for my own domain, and I'm far more interested in my use of external resources than I am in other people's use of mine (perhaps it might be different if I was operating say, a CDN).

The introductory text of the spec doesn't make this orientation clear:

Today, application developers do not have real-time web application availability data from their end users. For example, if the user fails to load the page due to a network error, such as a failed DNS lookup, a connection timeout, a reset connection, or other reasons, the site developer is unable to detect and address this issue.

My confusion arises because this describes exactly my position as a web app / site developer, not the owner of the resource: "a problem occurred on your site for a certain subset of your users, but I'm not going to tell you, I'm going to tell someone else". The net result is that the site developer that implements NEL is still unable to detect and address this issue. A small example or diagram would work wonders here.

Meanwhile, is there any proposal or option to make it work this way (the only real difference would be report destinations)? Or perhaps some other reporting system that does?

[Sora2455]

I mean, there's nothing stopping you from catching error events from script, link, etc tags in JS. Once you know it's not loading, it should only be a quick investigation to find out why.

[Synchro]

This is also true for those that currently receive NEL reports (a very small subset of those that would actually benefit from them), so why don't they do that instead of bothering with a spec and a browser implementation? What if I don't want to involve JS, or can't load the script?

[Sora2455]

My understanding is that NEL was intended less to catch when page resources weren't loading and more when the page itself wasn't loading, due to e.g. a DNS issue.

[Synchro]

It doesn't really matter to NEL what resource isn't loading (though remember that it has to have worked at least once since the max-age value for NEL to work at all), but I'd venture that the number of page resources is absolutely tiny when compared with the sub-resources loaded by pages. It's not uncommon to load a single page that makes over 1,000 sub-requests (thanks to the joys of Google Tag Manager). As a site owner, I'd want those reports to go to me rather than the places that the resources are loaded from. I understand that that might be useful too, but I don't see any reason we couldn't do both.