[tbb-bugs] #13024 [Tor Browser]: Disable resource timing API?

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Sep 8 09:29:55 UTC 2014

#13024: Disable resource timing API?
     Reporter:           |      Owner:  tbb-team
  mikeperry              |     Status:  new
         Type:  defect   |  Milestone:
     Priority:  normal   |    Version:
    Component:  Tor      |   Keywords:  ff31-esr, tbb-fingerprinting,
  Browser                |  TorBrowserTeam201409
   Resolution:           |  Parent ID:
Actual Points:           |
       Points:           |

Comment (by gacar):

 This API is the ideal attack surface for cache-timing attacks similar to
 [http://sip.cs.princeton.edu/pub/webtiming.pdf 1] and
 [http://lcamtuf.coredump.cx/cachetime/ 2].

 Although, the timing information is restricted to same-origin scripts by
 default, websites can relax this by sending a [http://www.w3.org/TR
 /resource-timing/#cross-origin-resources `Timing-Allow-Origin`] response

 So, it seems wise to disable the relevant pref,

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13024#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list