- From: James Simonsen <simonjam@chromium.org>
- Date: Tue, 13 Sep 2011 10:51:18 -0700
- To: "public-web-perf@w3.org" <public-web-perf@w3.org>
Received on Tuesday, 13 September 2011 17:51:43 UTC
On Wed, Sep 7, 2011 at 2:18 AM, Alois Reitbauer < alois.reitbauer@dynatrace.com> wrote: > Getting the overall time is already helpful while it makes diagnosing > problems really hard missing the details. I have to say I am no security > expert, so I am not the right person to judge the security implications. It > might be a good idea to state the security concerns in a non-normative > section. As Pat pointed out third party providers will have to be convinced > to support the new header. Having a strong reference like a W3C standard > would be helpful here. > The main attack is determining if a user is logged in to a third party site. If they include a resource from a third party site and see that it loaded quickly, for instance because an HTTPS connection already existed, then they can learn things like which bank the user uses. We are trying to make this useful for developers, but our users' privacy comes first. James
Received on Tuesday, 13 September 2011 17:51:43 UTC