By: Andrew Comminos (Facebook) & Vladan Djeric (Facebook)
And as to be expected, the "Privacy and Security" section makes zero mentions that this API could be used for tracking users without their consent across many origins, as it's adding yet another data point for Facebook et al to use when tracking users.
can you describe the threat vector here? how exactly could it be used to do that? keeping in mind the cross origin limitations mentioned in the spec, and that the timing resolution is no different to JS timestamp methods already available to code run in this context
It's yet another data point for fingerprinting. Similar to how you can use audio and canvas for fingerprinting. See https://audiofingerprint.openwpm.com/ for audio example. You could replicate the audio fingerprint example with performance characteristics instead and use in connection with other data points to build identifiers of users.
At first glance, it seems like this could be used as a powerful fingerprinting tool across multiple sites. Are there any plans to disable this for consumer devices, or to at least put it behind a permission prompt?
5 comments
[ 3.0 ms ] story [ 20.2 ms ] threadMany pages that I use run high on cpu. I have no option then kill them in the background. Right now doing that manually sucks.
The same information is available in chrome under dev-tools/Performance monitor as "CPU usage"
By: Andrew Comminos (Facebook) & Vladan Djeric (Facebook)
And as to be expected, the "Privacy and Security" section makes zero mentions that this API could be used for tracking users without their consent across many origins, as it's adding yet another data point for Facebook et al to use when tracking users.