Re: [Bug 9823] New: Add "maxExecutionContexts" property with number of hardware execution contexts from Mark Seaborn on 2010-06-10 (public-webapps@w3.org from April to June 2010)

From: Mark Seaborn <mseaborn@chromium.org>
Date: Thu, 10 Jun 2010 11:10:42 -0700
To: public-webapps@w3.org
Cc: Jonas Sicking <jonas@sicking.cc>
Message-ID: <AANLkTikf9QqAX8tnBsHxFvePE3kGCunjIghFsgVEGpOp@mail.gmail.com>

On Thu, Jun 10, 2010 at 10:04 AM, Jonas Sicking <jonas@sicking.cc> wrote:

> For what it's worth, it's unlikely that we at mozilla will implement
> this anytime soon, if at all. We're currently working on trying to
> reduce the ability to fingerprint [1] and this would be a step in the
> wrong direction for us. This is based on discussions with security
> folks here, so it's possible that others at mozilla has different
> opinions, but I still think it's unlikely that this will get past our
> security reviews for now.
>

While I'm very much in favour of reducing the browser fingerprint, I suspect
that if you expose non-determinism via concurrent message-passing between
web workers, a web app can probably work out how many cores the machine
has.  It can spawn multiple web workers, send many messages, and look at the
message interleaving.  (Do web workers have access to any high resolution
timers that would make this easier?)

That said, just because it's possible to get this information doesn't mean
it should be made easy.

Cheers,
Mark

Received on Thursday, 10 June 2010 18:11:12 UTC