On Fri, May 20, 2011 at 3:17 AM, Simon Fraser <simon.fraser@apple.com> wrote:

Seem like this new web-facing API would provide more data for sites wanting to do user fingerprinting, even when cookies etc. are disabled.

Good point. To my knowledge this is the most thorough explanation of the issue:

http://sip.cs.princeton.edu/pub/webtiming.pdf

Unfortunately, the techniques mentioned in that paper are all possible without navigation or resource timing. It is also highly unlikely that anything can be done to prevent such attacks (beyond, say, artificially slowing network requests in the same way encryptions algorithms are sometimes slowed). No one has yet identified a new attack vector, but that doesn't mean one doesn't exist.

Given the concern, perhaps this feature should have a run time enable guard underneath the ENABLE(WEB_TIMING) compile guard. This would give embedding applications the flexibility to enable/disable via a user preference.

Simon

On May 19, 2011, at 6:14 PM, James Simonsen wrote:

Hello webkit-dev,

The W3C Performance WG has been working on a Resource Timing spec. The spec is starting to stabilize and we'd like to start landing it in WebKit too.

Resource Timing is a follow up to Navigation Timing, which is already in WebKit. Resource Timing allows site developers to collect detailed network timing information for the subresources they load. The data is exposed through the window.performance namespace and we expect developers to ping this information back to the server with their other analytics data. For security reasons, the spec limits the detailed information to same-origin resources, but there is also a provision for a CORS-like header to allow cross-origin resource timing.

Resource Timing will be behind ENABLE(WEB_TIMING) since it relies on some of the same infrastructure as Navigation Timing. We can add an additional ENABLE to keep Resource Timing separate from Navigation Timing if that's desired.

The current draft of the Resource Timing API is here:

http://w3c-test.org/webperf/specs/ResourceTiming/

A meta-bug to track the necessary work is here:
https://bugs.webkit.org/show_bug.cgi?id=61138

Please post any feedback. Thanks!

_______________________________________________
webkit-dev mailing list
webkit-dev@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev