What is "load time"? #65
Comments
|
I think it is different. An image is considered load until it's decoded, right? |
|
Do you mean not considered loaded? I don't think that's necessarily correct. There's Edit: but even then, can you explain the security angle? |
|
Sure, an attacker can already obtain arbitrarily accurate image load times using an image onload handler. |
|
What time can they not get? |
|
The time when the browser paints the image once it's loaded is much harder to obtain. This is why we gate the renderTime on headers. |
|
Okay, so I think my confusion here is with the first two paragraphs in that section only talking about a single timing channel apparently. I thought they tried to talk about a couple of them... |
|
I have to admit I also don't understand the security issue with renderTime or how TAO helps with that. |
|
There is no API today that allows computing renderTime, and allowing arbitrary embedders to compute it may introduce some privacy concerns. For instance, image an image that takes longer to render if the user is logged in vs if it's not. The attacker could then deduce the user logged in state by using renderTime. This is mitigated via TAO headers as in this case the image trusts the embedder and allows it to monitor the timing of such image. Does that make sense? I can expand the section to explain what the issue is. |
|
I guess that's somewhat fair. Though why would |
|
I'm not very familiar with |
|
I doubt we can remove @domenic thoughts? |
|
I doubt we could break |
I'm trying to wrap my head around https://wicg.github.io/element-timing/#sec-security and failing.
Is "load time" different from Fetch's timing info's end time somehow?
The text was updated successfully, but these errors were encountered: