Re: Cross-Origin Resources and Resource Timing

On Wed, Sep 7, 2011 at 2:18 AM, Alois Reitbauer <
alois.reitbauer@dynatrace.com> wrote:

>  Getting the overall time is already helpful while it makes diagnosing
> problems really hard missing the details. I have to say I am no security
> expert, so I am not the right person to judge the security implications.  It
> might be a good idea to state the security concerns in a non-normative
> section. As Pat pointed out third party providers will have to be convinced
> to support the new header. Having a strong reference like a W3C standard
> would be helpful here.
>

The main attack is determining if a user is logged in to a third party site.
If they include a resource from a third party site and see that it loaded
quickly, for instance because an HTTPS connection already existed, then they
can learn things like which bank the user uses.

We are trying to make this useful for developers, but our users' privacy
comes first.

James

Received on Tuesday, 13 September 2011 17:51:43 UTC