[webkit-dev] New Feature - Resource Timing

[Tony Gentilcore]

> Presumably the embedding application would need to require explicit user consent to enable the feature.

My conclusion was different. Given that the timing based privacy
attacks are demonstrable without the interface, I thought it
reasonable to enable-by-default with a hidden pref to disable. But
this is based on the assumption that we aren't actually exposing any
new private information. Am I missing an exploit here?