[webkit-dev] New Feature - Resource Timing

Alexey Proskuryakov ap at webkit.org
Fri May 20 10:16:21 PDT 2011

20.05.2011, в 10:10, Tony Gentilcore написал(а):

>> Presumably the embedding application would need to require explicit user consent to enable the feature.
> My conclusion was different. Given that the timing based privacy
> attacks are demonstrable without the interface, I thought it
> reasonable to enable-by-default with a hidden pref to disable. But
> this is based on the assumption that we aren't actually exposing any
> new private information. Am I missing an exploit here?

I'm nowhere near to being an expert here. The reason I'm worried is that this API provides very precise timing data, potentially making fingerprinting and information disclosure much more reliable in practice.

- WBR, Alexey Proskuryakov

More information about the webkit-dev mailing list