RE: Cross-Origin Restrictions

The email looks great, thank you for putting this together. Can you please share this with the relevant mailing lists and CC WebPerf?


-----Original Message-----
From: Tony Gentilcore [] 
Sent: Thursday, September 29, 2011 4:16 PM
To: Jatinder Mann
Subject: Re: Cross-Origin Restrictions

Thanks for the reminder and sorry for the delay. I think this is the information we want to convey. Do you want to do any tweaking and send then it out? I'm also happy to mail it on our behalf if you think it is good to go.



Hi Security Gurus,

The Resource Timing[1] specific has just entered last call phase. It provides network timing details for each subresource loaded by a page, to wit, the HTTP redirect, DNS, TCP connect, HTTP request and HTTP response phases.

We suspect that exposing this additional detail could improve the effectiveness of timing attacks like those described by Felten and Schneider[2]. So we have speculatively guarded these times with a same-origin restriction.

But even with the same-origin restriction, other folks have speculated[3] these times could be used to improve the effectiveness of statistical fingerprinting. At the same time, developers who want to use the specification are concerned that the same-origin restriction is too crippling for their use-cases.

So, we'd like to take a step back and develop a list of novel attacks that could be enabled by exposing network timing. Then we can put in the proper set of restrictions to prevent them. The problem is that none of the working group participants have expertise in security or privacy. Would you be willing to help us compile such a list?

Thank you,
Web Performance Working Group


On Wed, Sep 28, 2011 at 1:40 AM, Jatinder Mann <> wrote:
> Tony,
> In a previous conference call, we had discussed drafting an email to 
> share and get feedback from security and privacy experts on 
> statistical fingerprinting concerns. Once you have that mail drafted, 
> we can begin soliciting feedback and close this remaining open item on the Timing specs.
> Do you have an idea of when you think you can have that ready by?
> Thanks!
> Jatinder
> Per [minutes] 20110914 Web Performance WG Teleconference #49:
> Cross-Origin Restrictions
> There has been an open issue in the working group to verify with 
> security and privacy experts on our current security and privacy 
> features. There are both concerns that we may be too restrictive or 
> not restrictive enough. In order to resolve these issues, we will 
> follow up with security and privacy experts both internally and on the 
> W3C mailing lists. Tony has an action item (ACTION-50) to draft a mail 
> describing our scenario that can then be circulated to the various experts.

Received on Monday, 3 October 2011 22:01:31 UTC