[webkit-dev] New Feature - Resource Timing

Patrick Mueller pmuellr at muellerware.org
Mon May 23 08:16:51 PDT 2011

On 5/20/11 1:51 PM, Maciej Stachowiak wrote:
>>> Presumably the embedding application would need to require explicit user consent to enable the feature.
> I understand that we have to keep a balance, and statistical fingerprinting is already dismayingly effective without any new features. However, "enable[d]-by-default with a hidden pref to disable" sounds like an extremely weak approach to protecting user privacy.

I can't speak to the security or insecurity of enabling the Resource 
Timing APIs.  However, I'll note that I see this API as part of the 
diagnostic side of WebKit, just like the Web Inspector debugger.

In the case of the Web Inspector today, it requires explicit user 
consent to enable the feature - you need to perform a UI gesture to open 
the debugger (hot key, menu item, etc).

Besides Resource Timing and Navigation Timing, hopefully in the near 
future, all our WebKits will have remote debugging enabled:


So there's another case where we will need some kind of explicit user 
consent to enable the feature.

I wonder if we could lump all this stuff together into a single 
"diagnostic mode" run-time guard.  Turn it on, all the diagnostic, 
perhaps dangerous, API and capability is available.  Turn it off - and 
it's off by default - and dangerous API and capability is not available.

Patrick Mueller - http://muellerware.org

More information about the webkit-dev mailing list