Re: Request Privacy Review of Navigation Timing Level 2 from Pete Snyder on 2018-12-14 (public-privacy@w3.org from October to December 2018)

From: Pete Snyder <psnyder@brave.com>
Date: Fri, 14 Dec 2018 14:44:53 -0800
To: Xiaoqian Wu <xiaoqian@w3.org>
Cc: "public-privacy (W3C mailing list)" <public-privacy@w3.org>, yoav@yoav.ws
Message-Id: <DC45320A-2F54-4AE8-8908-8EF235717F65@brave.com>

Hi Xiaoqian,

Thanks for this.  I’m very nervous about the cross origin / Timing-Allow-Origin proposal.  What is the thinking for allowing a “*” there?  What cases are anticipated that wouldn’t be solved by requiring the server to explicitly mention domains.  My concern here is that it would only take a single domain serving Timing-Allow-Origin =  “*” to allow the new timing information to be used to increasing the FP-via-timing channel.

Thanks,
Pete

> On Dec 14, 2018, at 6:00 AM, Xiaoqian Wu <xiaoqian@w3.org> wrote:
> 
> Hi,
> 
> The WebPerf WG is working on a new version of the Navigation Timing spec:
>  https://www.w3.org/TR/navigation-timing-2/
> 
> Most of the L2 features have been implemented by the major browsers.
> [[
> Navigation Timing 2 replaces the first version of [NAVIGATION-TIMING] and includes the following changes:
> 
> * the definition of Performance interface was moved to [PERFORMANCE-TIMELINE-2];
> * builds on top of [RESOURCE-TIMING-2];
> * support for [PERFORMANCE-TIMELINE-2];
> * support for [HR-TIME-2];
> * support for prerender navigations [RESOURCE-HINTS];
> * exposes number of redirects since the last non-redirect navigation;
> * exposes next hop network protocol;
> * exposes transfer, encoded body and decoded body size information;
> * secureConnectionStart attribute is now mandatory.
> ]]
> 
> The L2 spec contains a privacy consideration section, which introduces the timing allow check algorithm defined in Resource Timing L2 spec.
>  https://www.w3.org/TR/navigation-timing-2/#privacy
> [[
> There is the potential for disclosing an end-user's browsing and activity history by using carefully crafted timing attacks. For instance, the unloading time reveals how long the previous page takes to execute its unload handler, which could be used to infer the user's login status. These attacks have been mitigated by enforcing the timing allow check algorithm when timing information involving the previous navigation is accessed. [RESOURCE-TIMING-2]
> 
> The relaxed same origin policy doesn't provide sufficient protection against unauthorized visits across documents. In shared hosting, an untrusted third party is able to host an HTTP server at the same IP address but on a different port.
> ]]
> 
> Please let us know if there is any new concerns for the Navigation Timing API before the end of January, either by emails<public-web-perf@w3.org> or GitHub issues <https://github.com/w3c/navigation-timing/>.
> 
> Thanks.
> 
> -xiaoqian
>

Received on Friday, 14 December 2018 22:45:46 UTC