Hello webkit-dev,
The W3C Performance WG has been working on a Resource Timing spec. The spec
is starting to stabilize and we'd like to start landing it in WebKit too.
Resource Timing is a follow up to Navigation Timing, which is already in
WebKit. Resource Timing allows site developers to collec
Seem like this new web-facing API would provide more data for sites wanting to
do user fingerprinting, even when cookies etc. are disabled.
Simon
On May 19, 2011, at 6:14 PM, James Simonsen wrote:
> Hello webkit-dev,
>
> The W3C Performance WG has been working on a Resource Timing spec. The s
On Fri, May 20, 2011 at 3:17 AM, Simon Fraser wrote:
> Seem like this new web-facing API would provide more data for sites wanting
> to do user fingerprinting, even when cookies etc. are disabled.
>
Good point. To my knowledge this is the most thorough explanation of the
issue:
http://sip.cs.prin
20.05.2011, в 1:55, Tony Gentilcore написал(а):
> Given the concern, perhaps this feature should have a run time enable guard
> underneath the ENABLE(WEB_TIMING) compile guard. This would give embedding
> applications the flexibility to enable/disable via a user preference.
Presumably the embe
> Presumably the embedding application would need to require explicit user
> consent to enable the feature.
My conclusion was different. Given that the timing based privacy
attacks are demonstrable without the interface, I thought it
reasonable to enable-by-default with a hidden pref to disable.
20.05.2011, в 10:10, Tony Gentilcore написал(а):
>> Presumably the embedding application would need to require explicit user
>> consent to enable the feature.
>
> My conclusion was different. Given that the timing based privacy
> attacks are demonstrable without the interface, I thought it
> re
On May 20, 2011, at 10:10 AM, Tony Gentilcore wrote:
>> Presumably the embedding application would need to require explicit user
>> consent to enable the feature.
>
> My conclusion was different. Given that the timing based privacy
> attacks are demonstrable without the interface, I thought it
I've forwarded these questions on to the working group:
http://lists.w3.org/Archives/Public/public-web-perf/2011May/0102.html
In the meantime, we'll hold off on landing anything until we have
satisfactory answers.
-Tony
On Fri, May 20, 2011 at 6:51 PM, Maciej Stachowiak wrote:
>
> On May 20, 20
On 5/20/11 1:51 PM, Maciej Stachowiak wrote:
Presumably the embedding application would need to require explicit user
consent to enable the feature.
I understand that we have to keep a balance, and statistical fingerprinting is already
dismayingly effective without any new features. However
On 5/20/11 12:46 PM, Alexey Proskuryakov wrote:
What incentive will users have to enable it? For other privacy sensitive
features (be it cookies or geolocation), there is a clear benefit to gain from
them.
This is a developer-mode feature. There is no direct incentive for end
users to enabl
On May 23, 2011, at 8:16 AM, Patrick Mueller wrote:
> On 5/20/11 12:46 PM, Alexey Proskuryakov wrote:
>> What incentive will users have to enable it? For other privacy sensitive
>> features (be it cookies or geolocation), there is a clear benefit to gain
>> from them.
>
> This is a developer-m
On Tue, May 24, 2011 at 8:14 AM, Maciej Stachowiak wrote:
>
> On May 23, 2011, at 8:16 AM, Patrick Mueller wrote:
>
> > On 5/20/11 12:46 PM, Alexey Proskuryakov wrote:
> >> What incentive will users have to enable it? For other privacy sensitive
> >> features (be it cookies or geolocation), there
Sorry for taking so long to get back to this. I'm planning to start working
on it again, so it's time to close the loop here.
The main concern earlier in this thread was the ability to take advantage
of the extra timing information. We forwarded these concerns to the W3C
security group as well as
13 matches
Mail list logo
