2015-12-03 9:45 GMT+00:00 Mike O'Neill <michael.oneill@baycloud.com>:
> I think the attack is about measuring the time delay between a CSP blocked
> XHR request and the resulting oneeror, then detecting whether a site had
> been visited by measuring a short delay (because the url would be cached).
> We could recommend that the UA inserts a random ~100ms-ish delay before
> triggering events from CSP blocked requests. It only needs to be there for
> cross-origin ones.
>
II'm not so sure if the introduction of random delays can effectively close
these kind of issues. They can obscure them, though. Just my short remark.
Thanks
Lukasz