Currently `performance.now()` and related timestamps are coarsened based on site isolation status. This change will align their coarsening based on cross-origin isolation capability, regardless of platform. That would decrease their resolution on desktop from 5 microseconds to 100 microseconds in non-isolated contexts. It would also increase their resolution on Android from 100 microseconds to 5 microseconds in cross-origin isolated contexts, where it's safe to do so.

Motivation

Sites like https://leaky.page demonstrate that cross-origin information that’s read into the renderer can be observed by code running in that renderer. It also demonstrates that while high-resolution timers don’t enable that vulnerability, they accelerate its exploitation. Currently `performance.now()` and related timestamps are coarsened based on site isolation status of the platform. Aligning that with cross-origin isolated capability would enable us to expose more granular timers where we can, and reduce risk for our users where we can’t.

Specification

Specification link


Unknown standards status - check spec link for status

Status in Chromium

Blink>PerformanceAPIs


In development (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

Owner

Comments

Implementation CL at https://chromium-review.googlesource.com/c/chromium/src/+/2757334

Last updated on 2021-10-09