[Open Issue] Privacy concern with Navigation Timing

Hi All,

We're calling for input on a matter of privacy concerns with Navigation Timing. The follow attributes are being vetted to understand the threat with exposing Navigation Timing [1] attributes that can reveal to an attacking site what an end-user is doing in a particular session.

(Please see the attached png for a visual representation of the timeline)

navigationStart
The issue with this timing marker is that it reveals the absolute start point of the navigation, which may include the timing phase associated with redirection and the time spent in the unload event.

redirectStart
redirectEnd
After committing the navigation, the previous page (a.com) may perform redirections when navigating to the target/current page (b.com). Thus, b.com has access to specific timing information that is associated with redirections of a.com.

redirectCount
This attribute is related to redirectStart and redirectEnd, revealing the number of redirects while navigating from a.com to b.com. Thus, the target/current page (b.com) has access to the number of redirections associated with previous page (a.com).

unloadEventStart
unloadEventEnd
After committing the navigation, the previous page (a.com) may have an unload event handler while navigating to the target/current page (b.com). Thus, b.com has access to how long a.com's unload handler took to execute.

[1] http://dvcs.w3.org/hg/webperf/raw-file/tip/specs/NavigationTiming/Overview.html

Thanks,
Anderson Quach
IE Program Manager

Received on Friday, 15 October 2010 18:48:15 UTC