[webkit-dev] New Feature - Resource Timing

Tony Gentilcore tonyg at chromium.org
Fri May 20 01:55:26 PDT 2011 

On Fri, May 20, 2011 at 3:17 AM, Simon Fraser <simon.fraser at apple.com>wrote:

> Seem like this new web-facing API would provide more data for sites wanting
> to do user fingerprinting, even when cookies etc. are disabled.
>

Good point. To my knowledge this is the most thorough explanation of the
issue:
http://sip.cs.princeton.edu/pub/webtiming.pdf

Unfortunately, the techniques mentioned in that paper are all possible
without navigation or resource timing. It is also highly unlikely that
anything can be done to prevent such attacks (beyond, say, artificially
slowing network requests in the same way encryptions algorithms are
sometimes slowed). No one has yet identified a new attack vector, but that
doesn't mean one doesn't exist.

Given the concern, perhaps this feature should have a run time enable guard
underneath the ENABLE(WEB_TIMING) compile guard. This would give embedding
applications the flexibility to enable/disable via a user preference.


>
> Simon
>
> On May 19, 2011, at 6:14 PM, James Simonsen wrote:
>
> Hello webkit-dev,
>
> The W3C Performance WG has been working on a Resource Timing spec. The spec
> is starting to stabilize and we'd like to start landing it in WebKit too.
>
> Resource Timing is a follow up to Navigation Timing, which is already in
> WebKit. Resource Timing allows site developers to collect detailed network
> timing information for the subresources they load. The data is exposed
> through the window.performance namespace and we expect developers to ping
> this information back to the server with their other analytics data. For
> security reasons, the spec limits the detailed information to same-origin
> resources, but there is also a provision for a CORS-like header to allow
> cross-origin resource timing.
>
> Resource Timing will be behind ENABLE(WEB_TIMING) since it relies on some
> of the same infrastructure as Navigation Timing. We can add an additional
> ENABLE to keep Resource Timing separate from Navigation Timing if that's
> desired.
>
> The current draft of the Resource Timing API is here:
> http://w3c-test.org/webperf/specs/ResourceTiming/
>
> A meta-bug to track the necessary work is here:
> https://bugs.webkit.org/show_bug.cgi?id=61138
>
> Please post any feedback. Thanks!
>
>
>
> _______________________________________________
> webkit-dev mailing list
> webkit-dev at lists.webkit.org
> http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20110520/bde4b96a/attachment.html>

More information about the webkit-dev mailing list