Re: [w3ctag/design-reviews] Long Animation Frame API (LoAF) (Issue #911)

@plinss and I looked at this today and it seems broadly acceptable.
We have a few concerns here, but none of these really change our overall positive disposition.

We observe that the spec claims that thresholding durations is an effective mitigation strategy for timing attacks.
This is not correct.  Thresholding only limits the rate at which information can be extracted.
The specification rightly points out that these measurements are already possible, but claims this does not make things worse.
This is also incorrect.  Being able to measure multiple timing sources at the same time makes the rate of information extraction much higher.
This is still probably a worthwhile trade-off overall, but please do not pretend like the risk has been eliminated.

We also noted the [monekypatch of WebIDL](https://w3c.github.io/long-animation-frames/#webidl-monkey-patches), hopefully you're talking to the WebIDL folks to get those changes folded in and will be removing the monkeypatch. See [our guidance in this area](https://w3ctag.github.io/design-principles/#monkey-patching).

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/911#issuecomment-2174493751
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/911/2174493751@github.com>

Received on Monday, 17 June 2024 21:53:01 UTC