Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

What is "load time"? #65

Open
annevk opened this issue Oct 22, 2021 · 12 comments
Open

What is "load time"? #65

annevk opened this issue Oct 22, 2021 · 12 comments

Comments

@annevk
Copy link
Member

annevk commented Oct 22, 2021

I'm trying to wrap my head around https://wicg.github.io/element-timing/#sec-security and failing.

Is "load time" different from Fetch's timing info's end time somehow?

@npm1
Copy link
Collaborator

npm1 commented Oct 25, 2021

I think it is different. An image is considered load until it's decoded, right?

@annevk
Copy link
Member Author

annevk commented Oct 25, 2021

Do you mean not considered loaded? I don't think that's necessarily correct. There's decode() for a reason.

Edit: but even then, can you explain the security angle?

@npm1
Copy link
Collaborator

npm1 commented Oct 25, 2021

Sure, an attacker can already obtain arbitrarily accurate image load times using an image onload handler.

@annevk
Copy link
Member Author

annevk commented Oct 25, 2021

What time can they not get?

@npm1
Copy link
Collaborator

npm1 commented Oct 25, 2021

The time when the browser paints the image once it's loaded is much harder to obtain. This is why we gate the renderTime on headers.

@annevk
Copy link
Member Author

annevk commented Oct 25, 2021

Okay, so I think my confusion here is with the first two paragraphs in that section only talking about a single timing channel apparently. I thought they tried to talk about a couple of them...

@annevk
Copy link
Member Author

annevk commented Oct 25, 2021

I have to admit I also don't understand the security issue with renderTime or how TAO helps with that.

@npm1
Copy link
Collaborator

npm1 commented Oct 25, 2021

There is no API today that allows computing renderTime, and allowing arbitrary embedders to compute it may introduce some privacy concerns. For instance, image an image that takes longer to render if the user is logged in vs if it's not. The attacker could then deduce the user logged in state by using renderTime. This is mitigated via TAO headers as in this case the image trusts the embedder and allows it to monitor the timing of such image. Does that make sense? I can expand the section to explain what the issue is.

@annevk
Copy link
Member Author

annevk commented Oct 25, 2021

I guess that's somewhat fair. Though why would decode() not expose that as well?

@npm1
Copy link
Collaborator

npm1 commented Oct 25, 2021

I'm not very familiar with decode(), but it seems like it might expose that too. We could consider removing the TAO requirement if that API is not going to be removed anytime soon.

@annevk
Copy link
Member Author

annevk commented Oct 25, 2021

I doubt we can remove decode() and I don't immediately see how we'd address this.

@domenic thoughts?

@domenic
Copy link

domenic commented Oct 25, 2021

decode() seems fuzzable if there's a security concern, i.e., we could introduce arbitrary delays before the returned promise resolves.

I doubt we could break decode() for non-TAO images to reject, without compat concerns. Although maybe we could implement something like having it always resolve at load time for such images, or always resolve at load time + 100 ms or something like that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants