The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Introduce Feature
Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)
- for web pages to get timining info about page load
- how long dns resolution took
- how long connection setup took
- transfer time took
- Dates (like Date.now()), not durations
- this is only about the html page
- other timing interfaces in a different api (ResourceTiming)
- doesn't expose URLs
- web performance working group at W3C has the spec for this
What solutions/approaches were considered other than the proposed solution?
Why was this solution chosen?
- spec compliance / feature parity
- IE and Chrome also have this
Any security threats already considered in the design and why?=
- Spec mentions: detecting proxy servers, ..., avoid exposing URLs
- spec mentions using same origin policy (editors draft; CR)
Threat Brainstorming
- [privacy] Precise, broken-down timing information as a side channel for information leaks
- [privacy] Fingerprinting users (or groups of users!!!) by performance characteristics
- Redirect count is pinned to 0 if any of the redirects were third-party. So if you know the last piece was a same-host redirect, the 0 tells you it went through another party :/
Conclusions / Action Items
- [dveditz] Point the Tor folks at the pref for disabling this feature (dom.enable_performance)
- [curtisk] talk to Sid about privacy
- why is the IE implementation partial? did they have a problem with something? or were those properties simply not interesting enough to be worth the work?
- I (biesi) don't believe the IE implementation to be partial...