"A website can request a page from Twitter in the background with JavaScript using standard browser APIs. That request will be made using login credentials (stored in cookies), so if you're logged into Twitter, that request will be made as you.
Our site implements common CSRF protections on POST requests to prevent actions being made on your behalf (for example, being able to send a Tweet). The browser also enforces a number of limitations on cross-origin requests for security reasons. For example, another origin cannot read the response content. However, the requesting page is able to determine how long the request took to load.
This timing data will only reveal information if the response times can be manipulated into result based on a specific user. Generally, your page load time will depend on the Tweets you're viewing, and these aren't easy to predict.
However, when you are blocked by another user, we prevent you from being able to load their profile page, and just show a basic empty page. That page is much faster to load than a profile full of Tweets.
In our tests, profile page load times reliably dropped from around 500ms to about 200ms. In this way, one user can affect the page load time of another user viewing a specific url."
That was an interesting read, now I'm surprised there are so few websites mitigating this kind of timing attack.
Seems like SameSite is still not implemented everywhere: https://caniuse.com/#feat=same-site-cookie-attribute
Original research paper: http://www.ntt.co.jp/news2018/1807e/180718a.html
Twitter Blog: https://blog.twitter.com/engineering/en_us/topics/insights/2...
"A website can request a page from Twitter in the background with JavaScript using standard browser APIs. That request will be made using login credentials (stored in cookies), so if you're logged into Twitter, that request will be made as you.
Our site implements common CSRF protections on POST requests to prevent actions being made on your behalf (for example, being able to send a Tweet). The browser also enforces a number of limitations on cross-origin requests for security reasons. For example, another origin cannot read the response content. However, the requesting page is able to determine how long the request took to load.
This timing data will only reveal information if the response times can be manipulated into result based on a specific user. Generally, your page load time will depend on the Tweets you're viewing, and these aren't easy to predict.
However, when you are blocked by another user, we prevent you from being able to load their profile page, and just show a basic empty page. That page is much faster to load than a profile full of Tweets.
In our tests, profile page load times reliably dropped from around 500ms to about 200ms. In this way, one user can affect the page load time of another user viewing a specific url."