Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove Resource Timing API Support #5487

Open
pes10k opened this issue Jul 31, 2019 · 0 comments
Open

Remove Resource Timing API Support #5487

pes10k opened this issue Jul 31, 2019 · 0 comments
Labels
feature/tor/leakproofing Eliminating unexpected ways that someone using Tor might be unmasked. priority/P3 The next thing for us to work on. It'll ride the trains. privacy/chromium-redqueen Work to remove privacy-harming "features" added in Chromium. privacy/feature User-facing privacy- & security-focused feature work. privacy/tracking Preventing sites from tracking users across the web privacy

Comments

@pes10k
Copy link
Contributor

pes10k commented Jul 31, 2019

Chromium (along with other major vendors) ship support for the Resource Timing API.

It has signfigant privacy risks, and little-to-no corresponding upside for users. We should remove.

Partial list of related privacy attacks:

  • Allows history leak when combined with alt-svc instructions (likely other situations too)
  • Leaks local network information b/c of information about DNS errors (yikes in Tor mode…)
  • Possible geo location concern regarding microsecond loading info

Demo:
https://www.audero.it/demo/resource-timing-api-demo.html

Related standards position:
brave-experiments/standards-positions#8
@pes10k pes10k added privacy privacy/feature User-facing privacy- & security-focused feature work. privacy/tracking Preventing sites from tracking users across the web feature/tor/leakproofing Eliminating unexpected ways that someone using Tor might be unmasked. labels Jul 31, 2019
@tildelowengrimm tildelowengrimm added the priority/P3 The next thing for us to work on. It'll ride the trains. label Jul 31, 2019
@tildelowengrimm tildelowengrimm added the privacy/chromium-redqueen Work to remove privacy-harming "features" added in Chromium. label Feb 12, 2020
@fmarier fmarier added this to Untriaged Backlog in Security & Privacy via automation Jun 18, 2020
@fmarier fmarier moved this from Untriaged Backlog to P3, P4, & P5 Backlog in Security & Privacy Jul 10, 2020
@fmarier fmarier removed this from P3, P4 Backlog in Security & Privacy Aug 17, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature/tor/leakproofing Eliminating unexpected ways that someone using Tor might be unmasked. priority/P3 The next thing for us to work on. It'll ride the trains. privacy/chromium-redqueen Work to remove privacy-harming "features" added in Chromium. privacy/feature User-facing privacy- & security-focused feature work. privacy/tracking Preventing sites from tracking users across the web privacy
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pes10k @tildelowengrimm