In PerformanceTiming we use same-origin checks for security, whereas ResourceTiming uses TimingAllowOrigin checks. From the descriptions of PerformanceTiming, I'd expect all of the following to not require security checks in PerformanceNavigationTiming:

• domainLookupStart
• domainLookupEnd
• connectStart
• connectEnd
• secureConnectionStart
• requestStart
• responseStart

This seems to be fine per the processing model here https://w3c.github.io/navigation-timing/#processing-model. But if I click on the link to one of these, they take me to ResourceTiming, which does TAO checks for all of these (example: https://www.w3.org/TR/resource-timing-2/#dom-performanceresourcetiming-domainlookupstart). This makes the spec reading quite confusing.

Especially confusing is secureConnectionStart because the processing model says "A user agent MUST also set the secureConnectionStart attribute as defined in the attribute's processing model in [RESOURCE-TIMING]." Does this mean that this attribute should require TAO checks even if PerformanceTiming exposed this attribute without same-origin checks?