Re: Browser Fingerprinting using HSTS and CSP from Lukasz Olejnik (W3C) on 2016-01-30 (public-privacy@w3.org from January to March 2016)

From: Lukasz Olejnik (W3C) <lukasz.w3c@gmail.com>
Date: Sat, 30 Jan 2016 22:26:35 +0000
To: "Mike O'Neill" <michael.oneill@baycloud.com>
Cc: Nick Doty <npdoty@w3.org>, Keiji Takeda <tkeiji@w3.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-ID: <CAC1M5qqxUg00yxEfKNY5bUzZNy7ZT7pGrYtKr-rQ64pt1ythow@mail.gmail.com>

2015-12-03 9:45 GMT+00:00 Mike O'Neill <michael.oneill@baycloud.com>:

> I think the attack is about measuring the time delay between a CSP blocked
> XHR request and the resulting oneeror, then detecting whether a site had
> been visited by measuring a short delay (because the url would be cached).
> We could recommend that the UA inserts a random ~100ms-ish delay before
> triggering events from CSP blocked requests. It only needs to be there for
> cross-origin ones.
>


II'm not so sure if the introduction of random delays can effectively close
these kind of issues. They can obscure them, though. Just my short remark.

Thanks
Lukasz

Received on Saturday, 30 January 2016 22:27:06 UTC