- From: Tony Gentilcore <tonyg@chromium.org>
- Date: Wed, 19 Oct 2011 15:36:08 +0100
- To: Billy Hoffman <billy@zoompf.com>
- Cc: Bryan McQuade <bmcquade@google.com>, public-web-security@w3.org
Thank you all for the carefully thought out responses. This is exactly the kind of information needed. Activity seems to have died down, so I'll attempt to summarize... 1. The cross-origin restriction is absolutely needed. Without it: - Web history could be leaked - JS port scanning would be more accurate - Brute forcing passwords could be more effective 2. Even with the cross-origin restrict, there are several concerns: - In the presence of an XSS, then everything in #1 can be exploited. - This might improve the site's ability to geolocate the user. - This makes existing timing attacks more explicit which prevents them from ever being patched. 3. Risk mitigation suggestions: - Allow user opt-out - Opt-out by default in private browsing modes - Allow page opt-out via meta tag or the like Is this a fair summary? Please correct me if I missed anything. Otherwise, I'll discuss these with the web perf working group. My personal thoughts are: #1 We will keep the cross-origin restriction. #2 If an XSS is present, all bets are off, so we shouldn't worry about that. IP-based geolocation is already so effective that I doubt there's much room to improve that precision. There is no remotely plausible plan suggested for patching the implicit timing attacks, so making them explicit is not really changing anything. #3 If opt-out is necessary, we've already done something wrong in #2. -Tony
Received on Wednesday, 19 October 2011 14:37:03 UTC