[webkit-dev] On adding 'console.memory' API (and about the whole 'console' object.)

Adam Barth abarth at webkit.org
Wed Jun 2 12:06:53 PDT 2010

I haven't looked into the details, but, in general, side channel
information is a rich area for unintentional disclosure.  For example,
timing information leaks a ton of information.

Here's a recent paper that shows a bunch of stuff you can use from the
sizes of things.  In this case, they're looking at the size on the
wire, but you could imagine something similar for in-memory size:



On Wed, Jun 2, 2010 at 11:52 AM, Sam Weinig <sam.weinig at gmail.com> wrote:
> Now that I have had a little time to think about it, I think my biggest
> concern with this type of API is the unintentional ability for an attacker
> to gain information from the engine consuming specifics amount of memory.
>  Let's take the visited link history stealing attack as an example.  Even
> though you can no longer use getComputedStyle() directly to gain information
> as to whether a link was visited or not, if the engine allocated subtly
> different amounts of memory depending on whether the link was visited or
> not, an attacker could detect this and gain that information.
> Adam (and other web security people), am I being overly paranoid about this?
> -Sam
> On Fri, May 28, 2010 at 10:56 AM, Mikhail Naganov <mnaganov at chromium.org>
> wrote:
>> Greetings, WebKit deveopers,
>> As a response to requests from web apps developers, I was intended to
>> add a simple API for accessing web app's memory consumption, see
>> https://bugs.webkit.org/show_bug.cgi?id=39646
>> The scenario of using this API is as follows:
>>  - a builbot runs web app's common usage scenarios tests;
>>  - inside tests, memory usage is recorded via the API proposed;
>>  - the results are sent to a server (using XHR or a CGI request);
>>  - server plots nice graphs of memory usage status, bound to the
>> changes made to the web app;
>>  - thus, if someone does a change that blows up memory usage,
>> developers will notice.
>> As Sam points out, this change may be fine, but he suggests to make it
>> accessible only when a browser runs in a special "developer" mode.
>> This can also be applied to the whole 'console' object.
>> Please, share your thoughts on this.

More information about the webkit-dev mailing list