On Sun, Feb 26, 2017 at 5:12 PM, Brian Birtles <bbirt...@mozilla.com> wrote: > On Sat, Feb 25, 2017 at 1:09 AM, <trit...@mozilla.com> wrote: >> On Thursday, February 23, 2017 at 9:09:58 AM UTC-6, Boris Chiou wrote: >>> *Preference behind which this will be implemented*: I'm not sure. I think >>> we don't need it because it is just a variant of the step timing function, >>> and so it is safe to turn it on. If there is any other concerns, I can add >>> a preference for this. >> >> Given our (and all browsers') painful history with people finding novel ways >> to bypass security by abusing any and all timers we expose, I would feel >> much better if this had a pref. > > As Boris mentioned, adding a pref is no problem, but I'm curious to > learn about the specific security concern here. This doesn't expose > any new timing information. It's just a variation on the steps timing > function. Perhaps the 'frames' name suggests something about exposing > the browser's animation frames, but there's no connection between > frames() and actual animation frames in the browser.
Sure. I would not characterize the security concern as "This new thing might be dangerous but the old thing isn't" but rather "All of these things might be dangerous, but Boris is only talking about one of them so I only mentioned one of them." I'd be overjoyed if we added a pref for the old stuff too! =) If the engineering effort to add a pref is particularly burdensome, I'm sure I or someone else in Security could perform a deep-dive, but if it's not then yea. (And if there _is_ a pref that disables _all_ related animation timing that this new feature would be covered by, then I'd suggest that this existing pref may be sufficient _unless_ you feel it would be overly painful to hypothetically disable N features when only 1 of them might be a source of concern.) In general, anything that aids someone in performing timing measurements is concerning, because fine-grained timing measurements enable cache attacks which can enable history disclosure, activity disclosure, or even crypto key disclosure. In animation's particular area - I could imagine an attack that measures an animation's movement to get a higher resolution timer than one that may be exposed otherwise. (I know there's the High Res API, but consider if it were disabled. Plus in general, I think we should avoid arguments that go "X isn't as bad as Y so we shouldn't care about X" ). Anyway, there are probably a couple reasons why my example isn't feasible, but as I mentioned this isn't a deep dive, and I get the impression that the pref isn't burdensome. HTH, -tom _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
