[webkit-dev] Request for position: Aligning high-resolution timer granularity to cross-origin isolated capability
yoav at yoav.ws
Thu Mar 18 00:26:01 PDT 2021
On Wed, Mar 17, 2021 at 5:51 PM Geoff Garen <ggaren at apple.com> wrote:
> For the 100 microsecond value — our research suggests that you need a much
> higher value in vulnerable contexts.
> For the guaranteed isolated case — have you considered the use of high
> precision time to carry out non-Spectre timing attacks?
Could you elaborate on those 2 points?
> On Mar 17, 2021, at 3:38 AM, Yoav Weiss via webkit-dev <
> webkit-dev at lists.webkit.org> wrote:
> Hey folks,
> We recently changed <https://github.com/w3c/hr-time/pull/93> the HR-time
> spec <https://w3c.github.io/hr-time/> to better align its resolution
> clamping with cross-origin isolated capability
> and now I'm interested in shipping this change in Chromium.
> In practice that means that Chromium would be reducing its resolution in
> non-isolated contexts (regardless of the platform's site-isolation status)
> to 100 microseconds, and increasing it in cross-origin isolated contexts
> (even in platforms without site-isolation, e.g. Android) to 5 microseconds.
> As WebKit already clamps those timers to 1ms (AFAIK), I'd mostly like your
> position on the latter. Would y'all be interested in increasing timer
> granularity in contexts which have guarantees against pulling in
> cross-origin resources without their opt-in?
> I'd appreciate your thoughts on the matter.
> Cheers :)
> webkit-dev mailing list
> webkit-dev at lists.webkit.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the webkit-dev