W3C home > Mailing lists > Public > public-web-perf@w3.org > October 2010

[Open Issue] Privacy concern with Navigation Timing

From: Anderson Quach <aquach@microsoft.com>
Date: Fri, 15 Oct 2010 18:46:30 +0000
To: "public-web-perf@w3.org" <public-web-perf@w3.org>
Message-ID: <1E1FF4102DEA7A40AF9CC342044ECE5D2E21A830@TK5EX14MBXW603.wingroup.windeploy.ntdev.microsoft.com>
Hi All,

We're calling for input on a matter of privacy concerns with Navigation Timing. The follow attributes are being vetted to understand the threat with exposing Navigation Timing [1] attributes that can reveal to an attacking site what an end-user is doing in a particular session.

(Please see the attached png for a visual representation of the timeline)

navigationStart
The issue with this timing marker is that it reveals the absolute start point of the navigation, which may include the timing phase associated with redirection and the time spent in the unload event.

redirectStart
redirectEnd
After committing the navigation, the previous page (a.com) may perform redirections when navigating to the target/current page (b.com). Thus, b.com has access to specific timing information that is associated with redirections of a.com.

redirectCount
This attribute is related to redirectStart and redirectEnd, revealing the number of redirects while navigating from a.com to b.com. Thus, the target/current page (b.com) has access to the number of redirections associated with previous page (a.com).

unloadEventStart
unloadEventEnd
After committing the navigation, the previous page (a.com) may have an unload event handler while navigating to the target/current page (b.com). Thus, b.com has access to how long a.com's unload handler took to execute.

[1] http://dvcs.w3.org/hg/webperf/raw-file/tip/specs/NavigationTiming/Overview.html

Thanks,
Anderson Quach
IE Program Manager



navigationtiming_timeline.png
(image/png attachment: navigationtiming_timeline.png)

Received on Friday, 15 October 2010 18:48:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 21 December 2010 18:13:55 GMT