Have security reviewed whether this makes cross-origin timing attacks easier? Or would users have to manually enable this in DevTools, in which case it's presumably less of a concern?
Please try to characterize the interoperability risk for this API.
Sounds to me like developers should probably care about this feature, right? Then better file a chromestatus entry so docs get written etc.
And yes it sounds like there needs to be some sort of security review. We've had to kill/changed other web performance APIs in the past due to the potential for timing attacks. Seems like maybe this is completely different, but I'm not qualified to make that distinction :-)
Thanks Ken! Sounds fine to me. LGTM1 to ship.Doesn't seem necessary to block on the security review to me (there are no specific concerns), but still sounds like a good idea to get at least a sanity check from the security team.
LGTM2.--:DG<
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.