Currently `performance.now()` and related timestamps are coarsened based on site isolation status. This change will align their coarsening based on cross-origin isolation capability, regardless of platform. That would decrease their resolution on desktop from 5 microseconds to 100 microseconds in non-isolated contexts. It would also increase their resolution on Android from 100 microseconds to 5 microseconds in cross-origin isolated contexts, where it's safe to do so.
Sites like https://leaky.page demonstrate that cross-origin information that’s read into the renderer can be observed by code running in that renderer. It also demonstrates that while high-resolution timers don’t enable that vulnerability, they accelerate its exploitation. Currently `performance.now()` and related timestamps are coarsened based on site isolation status of the platform. Aligning that with cross-origin isolated capability would enable us to expose more granular timers where we can, and reduce risk for our users where we can’t.
Status in Chromium
In development (tracking bug) in:
- Chrome for desktop release 91
- Chrome for Android release 91
Consensus & Standardization
Last updated on 2021-07-25