[webkit-dev] Request for position: Aligning high-resolution timer granularity to cross-origin isolated capability

[Yoav Weiss]

On Wed, Mar 17, 2021 at 5:51 PM Geoff Garen <ggaren at apple.com> wrote:

> For the 100 microsecond value — our research suggests that you need a much
> higher value in vulnerable contexts.
>
> For the guaranteed isolated case — have you considered the use of high
> precision time to carry out non-Spectre timing attacks?
>

Could you elaborate on those 2 points?


>
> Thanks,
> Geoff
>
> On Mar 17, 2021, at 3:38 AM, Yoav Weiss via webkit-dev <
> webkit-dev at lists.webkit.org> wrote:
>
> Hey folks,
>
> We recently changed <https://github.com/w3c/hr-time/pull/93> the HR-time
> spec <https://w3c.github.io/hr-time/> to better align its resolution
> clamping with cross-origin isolated capability
> <https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-cross-origin-isolated-capability>,
> and now I'm interested in shipping this change in Chromium.
> In practice that means that Chromium would be reducing its resolution in
> non-isolated contexts (regardless of the platform's site-isolation status)
> to 100 microseconds, and increasing it in cross-origin isolated contexts
> (even in platforms without site-isolation, e.g. Android) to 5 microseconds.
>
> As WebKit already clamps those timers to 1ms (AFAIK), I'd mostly like your
> position on the latter. Would y'all be interested in increasing timer
> granularity in contexts which have guarantees against pulling in
> cross-origin resources without their opt-in?
>
> I'd appreciate your thoughts on the matter.
>
> Cheers :)
> Yoav
> _______________________________________________
> webkit-dev mailing list
> webkit-dev at lists.webkit.org
> https://lists.webkit.org/mailman/listinfo/webkit-dev
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20210318/42dde645/attachment.htm>