Skip to content

Excel Online team also believes COI requirement is not needed for this API. #83

New issue
New issue
Open
Open
Excel Online team also believes COI requirement is not needed for this API.#83
@fendoodelish

Description

@fendoodelish
fendoodelish
opened on Aug 7, 2024
          Excel Online team also believes COI requirement is not needed for this API.

After deep discussions on that decision we came to understanding that the API does not expose any new vulnerability to time channel attack as the timings from the API output is the same as perfromance.now(after the clamping obviously).

Further more the sampling interval of the profiler is in millisecond resolution as well, so again nothing new is exposed here.
@acomminos, if you agree on the timing concern, can we update this part(https://wicg.github.io/js-self-profiling/#privacy-security) in the spec to reflect our agreement on this understanding.

Another aspect when requiring COI is avoiding leaking information form cross-origin scripts.
However this is already being handled inside the API by avoiding function names introspection if the script is from different origin and did not provided CORS header, just as in error.callstack AFAIU.
Therefore we are clear here as well.

Taking those points into account we strongly believe that the COI in this case is redundant.

Thanks.

Originally posted by @magenish in #41 (comment)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions