[tbb-bugs] #13024 [Tor Browser]: Disable resource timing API?
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Sep 8 09:29:55 UTC 2014
#13024: Disable resource timing API?
-------------------------+-------------------------------------------------
Reporter: | Owner: tbb-team
mikeperry | Status: new
Type: defect | Milestone:
Priority: normal | Version:
Component: Tor | Keywords: ff31-esr, tbb-fingerprinting,
Browser | TorBrowserTeam201409
Resolution: | Parent ID:
Actual Points: |
Points: |
-------------------------+-------------------------------------------------
Comment (by gacar):
This API is the ideal attack surface for cache-timing attacks similar to
[http://sip.cs.princeton.edu/pub/webtiming.pdf 1] and
[http://lcamtuf.coredump.cx/cachetime/ 2].
Although, the timing information is restricted to same-origin scripts by
default, websites can relax this by sending a [http://www.w3.org/TR
/resource-timing/#cross-origin-resources `Timing-Allow-Origin`] response
header.
So, it seems wise to disable the relevant pref,
`dom.enable_resource_timing`.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13024#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list