Timing attacks · Issue #41 · WICG/private-network-access (original) (raw)

Even if #21 is removed, I think the website may be able to deduce when it's served 'locally' through ssh tunnel, fiddler etc.

A public website served locally could:

• Use timing attacks between prefetch and network errors
• Request local resources it wouldn't normally have access to

As part of the non-normative text, it may be worth mentioning that user agents should allow the user to override this protection. (potentially linking to the feature being added to WebDriver to be exposed as user flags / prefs etc)