[webkit-dev] Request for position: Aligning high-resolution timer granularity to cross-origin isolated capability

Geoff Garen ggaren at apple.com
Wed Mar 17 09:50:26 PDT 2021

For the 100 microsecond value — our research suggests that you need a much higher value in vulnerable contexts.

For the guaranteed isolated case — have you considered the use of high precision time to carry out non-Spectre timing attacks?


> On Mar 17, 2021, at 3:38 AM, Yoav Weiss via webkit-dev <webkit-dev at lists.webkit.org> wrote:
> Hey folks,
> We recently changed <https://github.com/w3c/hr-time/pull/93> the HR-time spec <https://w3c.github.io/hr-time/> to better align its resolution clamping with cross-origin isolated capability <https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-cross-origin-isolated-capability>, and now I'm interested in shipping this change in Chromium.
> In practice that means that Chromium would be reducing its resolution in non-isolated contexts (regardless of the platform's site-isolation status) to 100 microseconds, and increasing it in cross-origin isolated contexts (even in platforms without site-isolation, e.g. Android) to 5 microseconds.
> As WebKit already clamps those timers to 1ms (AFAIK), I'd mostly like your position on the latter. Would y'all be interested in increasing timer granularity in contexts which have guarantees against pulling in cross-origin resources without their opt-in?
> I'd appreciate your thoughts on the matter.
> Cheers :)
> Yoav
> _______________________________________________
> webkit-dev mailing list
> webkit-dev at lists.webkit.org
> https://lists.webkit.org/mailman/listinfo/webkit-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20210317/d352c451/attachment.htm>

More information about the webkit-dev mailing list