W3C home > Mailing lists > Public > public-web-perf@w3.org > September 2011

Re: Cross-Origin Resources and Resource Timing

From: James Simonsen <simonjam@chromium.org>
Date: Tue, 13 Sep 2011 10:51:18 -0700
Message-ID: <CAPVJQinBYWtB7bp2qP2WAAodNZ+YQU4TniVtuYLutg+8vz=mVQ@mail.gmail.com>
To: "public-web-perf@w3.org" <public-web-perf@w3.org>
On Wed, Sep 7, 2011 at 2:18 AM, Alois Reitbauer <
alois.reitbauer@dynatrace.com> wrote:

>  Getting the overall time is already helpful while it makes diagnosing
> problems really hard missing the details. I have to say I am no security
> expert, so I am not the right person to judge the security implications.  It
> might be a good idea to state the security concerns in a non-normative
> section. As Pat pointed out third party providers will have to be convinced
> to support the new header. Having a strong reference like a W3C standard
> would be helpful here.
>

The main attack is determining if a user is logged in to a third party site.
If they include a resource from a third party site and see that it loaded
quickly, for instance because an HTTPS connection already existed, then they
can learn things like which bank the user uses.

We are trying to make this useful for developers, but our users' privacy
comes first.

James
Received on Tuesday, 13 September 2011 17:51:43 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:04:31 UTC