Security review of Resource Timing

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Security review of Resource Timing

Anne van Kesteren
Hey, in https://github.com/w3c/resource-timing/issues/12 folks are
looking for Mozilla to give some kind of security sign off. It's still
not entirely clear to me how we do this kind of thing as an
organization so I thought I'd ask here.

In particular, I know in the past we've been conservative revealing
the specifics of network failures, even when it comes to same-origin
communication. The outcome is that a ton of APIs expose that kind of
thing binary, either it works or it didn't.

Now https://w3c.github.io/resource-timing/ promises to give detailed
information, even cross-origin if the resource on the other side opted
in, for DNS, TLS, HTTP, etc. timing, even when the resource could not
be completely obtained (the timings for the bits where it started
failing will be zero).

It's not entirely clear to me if this enables new attacks, and of what
nature, but it does seem like a significant shift in policy from the
tried and true binary approach.

Input appreciated.


--
https://annevankesteren.nl/
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Security review of Resource Timing

Steve Workman
Tanvi, Dan or Richard might have some input here.

On Wed, Apr 27, 2016 at 1:23 AM, Anne van Kesteren <[hidden email]> wrote:

> Hey, in https://github.com/w3c/resource-timing/issues/12 folks are
> looking for Mozilla to give some kind of security sign off. It's still
> not entirely clear to me how we do this kind of thing as an
> organization so I thought I'd ask here.
>
> In particular, I know in the past we've been conservative revealing
> the specifics of network failures, even when it comes to same-origin
> communication. The outcome is that a ton of APIs expose that kind of
> thing binary, either it works or it didn't.
>
> Now https://w3c.github.io/resource-timing/ promises to give detailed
> information, even cross-origin if the resource on the other side opted
> in, for DNS, TLS, HTTP, etc. timing, even when the resource could not
> be completely obtained (the timings for the bits where it started
> failing will be zero).
>
> It's not entirely clear to me if this enables new attacks, and of what
> nature, but it does seem like a significant shift in policy from the
> tried and true binary approach.
>
> Input appreciated.
>
>
> --
> https://annevankesteren.nl/
> _______________________________________________
> dev-security mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-security
>
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Loading...