Ian Hickson wrote on 4/9/2009 1:42 AM: > On Thu, 9 Apr 2009, Bil Corry wrote: >> For example, imagine instead you visit a malicious site, and it wants to >> phish your banking credentials. But rather than choosing a random bank >> and hoping you bank there, it instead launches a series of timing >> attacks against the top 30 banks, determines which bank(s) you're logged >> into, then tries phishing against the one you're logged into. >> CORS-Origin can't help, but a robust Origin could. > > You could just do a timing attack against non-login-protected assets that > are only shown while logged in, or even just do timing attacks against any > cached resource from the site, to see if they visited it. Or heck, you > could just do a regular :visited history probing attack to see which site > they visited. If we wanted to protect against timing attacks like this > I think we would need to just have the browser itself ensure all network > traffic has unpredictable timing (and remove the visited URLs features).
My point is that a robust Origin moves us closer to better security controls, perhaps not all the way, but certainly much closer than CORS-Origin gets us. - Bil