Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Security review of Resource Timing

44 views
Skip to first unread message

Anne van Kesteren

unread,
Apr 27, 2016, 4:23:40 AM4/27/16
to mozilla-de...@lists.mozilla.org
Hey, in https://github.com/w3c/resource-timing/issues/12 folks are
looking for Mozilla to give some kind of security sign off. It's still
not entirely clear to me how we do this kind of thing as an
organization so I thought I'd ask here.

In particular, I know in the past we've been conservative revealing
the specifics of network failures, even when it comes to same-origin
communication. The outcome is that a ton of APIs expose that kind of
thing binary, either it works or it didn't.

Now https://w3c.github.io/resource-timing/ promises to give detailed
information, even cross-origin if the resource on the other side opted
in, for DNS, TLS, HTTP, etc. timing, even when the resource could not
be completely obtained (the timings for the bits where it started
failing will be zero).

It's not entirely clear to me if this enables new attacks, and of what
nature, but it does seem like a significant shift in policy from the
tried and true binary approach.

Input appreciated.


--
https://annevankesteren.nl/

Steve Workman

unread,
Apr 27, 2016, 2:25:35 PM4/27/16
to Anne van Kesteren, Daniel Veditz, Tanvi Vyas, mozilla-de...@lists.mozilla.org, Richard Barnes
Tanvi, Dan or Richard might have some input here.
> _______________________________________________
> dev-security mailing list
> dev-se...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security
>
0 new messages