[webkit-dev] New Feature - Resource Timing

Tony Gentilcore tonyg at chromium.org
Fri May 20 10:10:40 PDT 2011

> Presumably the embedding application would need to require explicit user consent to enable the feature.

My conclusion was different. Given that the timing based privacy
attacks are demonstrable without the interface, I thought it
reasonable to enable-by-default with a hidden pref to disable. But
this is based on the assumption that we aren't actually exposing any
new private information. Am I missing an exploit here?

More information about the webkit-dev mailing list