[webkit-dev] New Feature - Resource Timing
Alexey Proskuryakov
ap at webkit.org
Fri May 20 10:16:21 PDT 2011
20.05.2011, в 10:10, Tony Gentilcore написал(а):
>> Presumably the embedding application would need to require explicit user consent to enable the feature.
>
> My conclusion was different. Given that the timing based privacy
> attacks are demonstrable without the interface, I thought it
> reasonable to enable-by-default with a hidden pref to disable. But
> this is based on the assumption that we aren't actually exposing any
> new private information. Am I missing an exploit here?
I'm nowhere near to being an expert here. The reason I'm worried is that this API provides very precise timing data, potentially making fingerprinting and information disclosure much more reliable in practice.
- WBR, Alexey Proskuryakov
More information about the webkit-dev
mailing list