[w3ctag/design-reviews] Other Spec Review: TCP Socket Pool per-Top-Level-Site (Issue #1151)

arichiv created an issue (w3ctag/design-reviews#1151)

### Where and by whom is the work is being done?

- Primary contacts:
  - @arichiv, Google Chrome
- Organization/project driving the specification: Google Chrome
- This work is being funded by: Google
- Primary standards group developing this feature: None
- Group intended to standardize this work: None
- Incubation and standards groups that have discussed the design: None


### Feedback so far

- Multi-stakeholder feedback:
  - Chromium comments: https://chromestatus.com/feature/6496757559197696
  - Mozilla comments: TBD
  - WebKit comments: TBD
- Major unresolved issues with or opposition to this specification: None
- Status/issue trackers for implementations: https://crbug.com/415691664


### You should also know that...

By [exploiting limits in the TCP connection pool size on Chrome](https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/), knowledge can be gained about cross-site state which would otherwise be inaccessible. Specifically, it’s possible (with some statistical certainty) to evaluate the login state, visited history, or even something more specific like whether gmail has pending messages in the inbox.


To mitigate this we are doubling the per-profile socket pool to 513 (512 was already studied and seen to have no negative impact) while imposing a per-top-level-site limit of 256 (the old global limit). This change should be entirely transparent to most sites and is anticipated to be a wash performance wise.

<!-- Content below this is maintained by @w3c-tag-bot -->
---

Track conversations at https://tag-github-bot.w3.org/gh/w3ctag/design-reviews/1151


-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/1151
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/1151@github.com>