Tangential question: are there other giveaways than download time for a cached document which could be used by malicious scripts?
I ask because I don't understand why a zero download time for a cached document couldn't be simply masked by some (random) wait by the browser instead of downloading the file again.
From the chrome update page linked in the article, the explanation is:
> However, the time a website takes to respond to HTTP requests can reveal that the browser has accessed the same resource in the past, which opens the browser to security and privacy attacks, [...]
which seems to indicate that only time matters in the attacks. Yet, the third bullet point suggests:
> Cross-site tracking: The cache can be used to store cookie-like identifiers as a cross-site tracking mechanism.
as a possible attack based on the cache, which doesn't seem to involve document download time.
I ask because I don't understand why a zero download time for a cached document couldn't be simply masked by some (random) wait by the browser instead of downloading the file again.
From the chrome update page linked in the article, the explanation is:
> However, the time a website takes to respond to HTTP requests can reveal that the browser has accessed the same resource in the past, which opens the browser to security and privacy attacks, [...]
which seems to indicate that only time matters in the attacks. Yet, the third bullet point suggests:
> Cross-site tracking: The cache can be used to store cookie-like identifiers as a cross-site tracking mechanism.
as a possible attack based on the cache, which doesn't seem to involve document download time.