An assorted list of links and references, for recent proof of concepts see Real World Examples.
Network timing based attacks
Network based attacks suffered from being slow, noisy and often rate limited by DoS protection.
2007 - In Exposing Private Information by Timing Web Applications, Andrew Bortz et al. describe an attack against web servers, in which the time a site takes to respond to a request can be used for leaking information (cross-site timing).
2009 - In Cross-domain search timing, Chris Evans explains how to time the response of a site to figure out if a user is logged in or not, and introduces for the first time the concept of cross-site search.
2015 - In Cross-Site Search Attacks - Technical Report Nethanel Gelernter and Amir Herzberg describe the attack again, but present better attacks based on statistical tests, algorithms, and some application-specific behaviors.
Client-based attacks made these attacks more accessible, as attacks required significantly less time to perform, and were significantly more accurate and exploitable than their network-timing counterparts.
2013 - patrojk described how to figure out the identity of a Facebook user by simply checking the image height/width of a Facebook image.
2015 - In The Clock is Still Ticking, Tom Van Goethem et.al started looking at improvements on the attacks presented in XS-Search by abusing browser APIs.
2016 - Nethanel Gelernter followed up with Advanced Cross Site Search described optimizations to the previous attacks based on "Second Order XS-Search".
(Annex) XSS Filters information leaks
Independently of the work above, there was also a lot of research into information leaks introduced by XSS filters. The connection to XS-Search didn't happen until 2018.
2014 - In Information theft attacks abusing browser's XSS filter Takeshi Terada described an attack to steal tokens from script elements by brute forcing them.
2015 - In X-XSS-Nightmare: 1; mode=attack Masato Kinogawa presented attacks against the IE XSS filter to steal content cross-domain.
2018 - In Exposing Intranets with reliable Browser-based Port scanning Gareth Heyes presented a technique for detecting network error pages, which triggered a discussion on Twitter about the XSS auditor and XSS Search.