Re: Browser Fingerprinting using HSTS and CSP

2015-12-03 9:45 GMT+00:00 Mike O'Neill <michael.oneill@baycloud.com>:

> I think the attack is about measuring the time delay between a CSP blocked
> XHR request and the resulting oneeror, then detecting whether a site had
> been visited by measuring a short delay (because the url would be cached).
> We could recommend that the UA inserts a random ~100ms-ish delay before
> triggering events from CSP blocked requests. It only needs to be there for
> cross-origin ones.
>


II'm not so sure if the introduction of random delays can effectively close
these kind of issues. They can obscure them, though. Just my short remark.

Thanks
Lukasz

Received on Saturday, 30 January 2016 22:27:06 UTC