Re: Cross-Origin Restrictions

On Fri, 30 Sep 2011 01:15:34 +0200, Tony Gentilcore <>  

> Thanks for the reminder and sorry for the delay. I think this is the
> information we want to convey. Do you want to do any tweaking and send
> then it out? I'm also happy to mail it on our behalf if you think it
> is good to go.

We've discussed this in the security group in Opera, and don't think this  
is a good idea, for all the obvious reasons. While we didn't look for  
novel attacks, it will increase the attack surface significantly of a  
number of existing attacks. Third party DNS information is the CSS  
:visited issue all over again, which browsers have been trying to fix.  
Statistical fingerprinting is an issue which is small for every working  
group, but in total large for affected users. Timing attacks to know  
server setup, visited webpages, port scanning, guess at credentials etc  
will all be easier. There is also no obvious user gain by allowing this.

The right question to ask would be what user gains there are in allowing  
third party timing information, and if those gains are significant, detail  
the potential gains, and then look for ways to give those gains to user  
without privacy or security implications. The security group considered  
allowing a user opt-in to such third party information, similar to the  
geo-locaiton opt-in in browsers, but rejected the idea, as it could find  
no reason why a user would want to answer yes to such a question.

Sigbjørn Vik
Core Quality Services
Opera Software

Received on Thursday, 6 October 2011 09:44:24 UTC