- From: camillelamy <notifications@github.com>
- Date: Thu, 05 Aug 2021 03:04:48 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/1253/893332078@github.com>
Coming back to the issue of the security impact of this, we are unfortunately in a position where our security against cross-site data leaks is best-effort . Spectre attacks are possible in non-crossOriginIsolated contexts, there are just less efficient. This situation is not going to change unless we get rid of all timers in all non-crossOriginIsolated contexts or all CPUs vulnerabilities are addressed. None of which is going to happen. So then we need to evaluate whether the risk of a proxy caching credentialed resources fetched through HTTPS and then serving those back to the COEP credentialless document is higher than an attacker page just requesting the resource in a non-crossOriginIsolated context and performing a not very efficient Spectre attack on it. To do a back-of-the-envelope computation, timer resolution is 20x greater in Chrome in crossoriginIsolated contexts vs non-crossOriginIsolated contexts (5 microseconds vs 100 microseconds). My understanding is that Spectre attacks efficiency are roughly proportional to timer resolution. So you can exfiltrate data 20x faster in crossOriginIsolated contexts vs non-crossOriginIsolated contexts. If we look then at COEP credentialless, unless more than 1 in 20 credentialed resources are in fact cached in local proxy that interposes on HTTPS connections, it is going to be faster to simply perform the attack in a non-crossOriginIsolated context. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1253#issuecomment-893332078
Received on Thursday, 5 August 2021 10:05:00 UTC