Re: [Open Issue] Privacy concern with Navigation Timing

On Fri, Oct 22, 2010 at 12:29 AM, Sigbjørn Vik <> wrote:

> On Thu, 21 Oct 2010 19:00:56 +0200, Zhiheng Wang <>
> wrote:
>  On Thu, Oct 21, 2010 at 7:46 AM, Sigbjørn Vik <> wrote:
>>  I see the following note:
>>> "Note: The relaxed same orgin policy doesn't provide sufficient
>>> protection
>>> against unauthorized visits accross documents. In shared hosting, an
>>> untrusted third party is able to host an HTTP server at the same IP
>>> address
>>> but on a different port."
>>> I must have missed this discussion, this is similar to the mail just sent
>>> about cookie domains (here called relaxed same origin). I am not quite
>>> sure
>>> I understand what "unauthorized visits accross documents" means?
>>    ah, right, I missed this in the discussion yesterday. cookie domain
>> doesn't work in cases like shared hosting, e.g., I have my web site on
>> and
>> yours on We probably don't want to share information
>> between them.
> Right, this is a potential problem. However, these domains already share
> cookies, and such domains are rarely used for sensitive data[1]. Timing
> information is not direct information either, only indirect, which at most
> indicates if a user is logged in or not.
> My thought is that using a cookie domain will be of great benefit to
> developers, and that it has little real-life negative impact on websites. Do
> you foresee any practical problems doing this?
> [1] Maybe with the exception of people putting their personal documents
> online to be available for themselves, but such use cases are unlikely to be
> tricked by spoofing.
   Different sub-domain is only part of the story.
Origin<> refers
to (schem, host, port), so different ports and schemes could be potential
risk as well.
It's a good point that they are sharing the same cookie already, so the
additional negative impact by relaxing the SOP is at most incremental.

   I actually have a bit more thought after the previous email... The SOP
doesn't seem to guarantee absolute safety either, e.g., some web services
are already hosting UGC on the same domain but a user-specific path like Arguably though, *should*
cover any potential security issues.

   Don't make me wrong. Cookie domain is also my favorite and I tend to
agree that its benefit is greater than other concerns. :-) I just feel like
up the point for discussion. And if we all agree on using the cookie domain,
we will go with it.


> --
> Sigbjørn Vik
> Quality Assurance
> Opera Software

Received on Friday, 22 October 2010 07:59:46 UTC