On Fri, May 20, 2011 at 3:17 AM, Simon Fraser <simon.fra...@apple.com>wrote:
> Seem like this new web-facing API would provide more data for sites wanting > to do user fingerprinting, even when cookies etc. are disabled. > Good point. To my knowledge this is the most thorough explanation of the issue: http://sip.cs.princeton.edu/pub/webtiming.pdf Unfortunately, the techniques mentioned in that paper are all possible without navigation or resource timing. It is also highly unlikely that anything can be done to prevent such attacks (beyond, say, artificially slowing network requests in the same way encryptions algorithms are sometimes slowed). No one has yet identified a new attack vector, but that doesn't mean one doesn't exist. Given the concern, perhaps this feature should have a run time enable guard underneath the ENABLE(WEB_TIMING) compile guard. This would give embedding applications the flexibility to enable/disable via a user preference. > > Simon > > On May 19, 2011, at 6:14 PM, James Simonsen wrote: > > Hello webkit-dev, > > The W3C Performance WG has been working on a Resource Timing spec. The spec > is starting to stabilize and we'd like to start landing it in WebKit too. > > Resource Timing is a follow up to Navigation Timing, which is already in > WebKit. Resource Timing allows site developers to collect detailed network > timing information for the subresources they load. The data is exposed > through the window.performance namespace and we expect developers to ping > this information back to the server with their other analytics data. For > security reasons, the spec limits the detailed information to same-origin > resources, but there is also a provision for a CORS-like header to allow > cross-origin resource timing. > > Resource Timing will be behind ENABLE(WEB_TIMING) since it relies on some > of the same infrastructure as Navigation Timing. We can add an additional > ENABLE to keep Resource Timing separate from Navigation Timing if that's > desired. > > The current draft of the Resource Timing API is here: > http://w3c-test.org/webperf/specs/ResourceTiming/ > > A meta-bug to track the necessary work is here: > https://bugs.webkit.org/show_bug.cgi?id=61138 > > Please post any feedback. Thanks! > > > > _______________________________________________ > webkit-dev mailing list > webkit-dev@lists.webkit.org > http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev > >
_______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev