canmove, Confirmed users, Bureaucrats and Sysops emeriti
2,776
edits
Features/Platform/NavigationTimingAPI: Difference between revisions
Jump to navigation
Jump to search
Features/Platform/NavigationTimingAPI (view source)
Revision as of 21:40, 9 November 2011
, 9 November 2011no edit summary
No edit summary |
No edit summary |
||
| Line 20: | Line 20: | ||
|Feature security review=* W3C Spec: http://www.w3.org/TR/2011/CR-navigation-timing-20110315/ | |Feature security review=* W3C Spec: http://www.w3.org/TR/2011/CR-navigation-timing-20110315/ | ||
** Editors Draft: http://www.w3c-test.org/webperf/specs/NavigationTiming/ | ** Editors Draft: http://www.w3c-test.org/webperf/specs/NavigationTiming/ | ||
== Introduce Feature | ====== Introduce Feature ====== | ||
=== Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)=== | ============ Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)============ | ||
* for web pages to get timining info about page load | * for web pages to get timining info about page load | ||
** how long dns resolution took | ** how long dns resolution took | ||
| Line 31: | Line 31: | ||
** doesn't expose URLs | ** doesn't expose URLs | ||
* web performance working group at W3C has the spec for this | * web performance working group at W3C has the spec for this | ||
=== What solutions/approaches were considered other than the proposed solution?=== | ============ What solutions/approaches were considered other than the proposed solution?============ | ||
* spec compliance | * spec compliance | ||
=== Why was this solution chosen?=== | ============ Why was this solution chosen?============ | ||
* spec compliance / feature parity | * spec compliance / feature parity | ||
* IE and Chrome also have this | * IE and Chrome also have this | ||
== Any security threats already considered in the design and why?=== | ====== Any security threats already considered in the design and why?============ | ||
* Spec mentions: detecting proxy servers, ..., avoid exposing URLs | * Spec mentions: detecting proxy servers, ..., avoid exposing URLs | ||
* spec mentions using same origin policy (editors draft; CR) | * spec mentions using same origin policy (editors draft; CR) | ||
== Threat Brainstorming | ====== Threat Brainstorming====== | ||
* [privacy] Precise, broken-down timing information as a side channel for information leaks | * [privacy] Precise, broken-down timing information as a side channel for information leaks | ||
* [privacy] Fingerprinting users (or groups of users!!!) by performance characteristics | * [privacy] Fingerprinting users (or groups of users!!!) by performance characteristics | ||
* Redirect count is pinned to 0 if any of the redirects were third-party. So if you know the last piece was a same-host redirect, the 0 tells you it went through another party :/ | * Redirect count is pinned to 0 if any of the redirects were third-party. So if you know the last piece was a same-host redirect, the 0 tells you it went through another party :/ | ||
== Conclusions / Action Items | ====== Conclusions / Action Items ====== | ||
* [dveditz] Point the Tor folks at the pref for disabling this feature (dom.enable_performance) | * [dveditz] Point the Tor folks at the pref for disabling this feature (dom.enable_performance) | ||
* [curtisk] talk to Sid about privacy | * [curtisk] talk to Sid about privacy | ||