Some HTML Elements might be used to leak a portion of data to a cross-origin page. For example, the below media resources can leak information about its size, duration, type.
HTMLMediaElement leaks the media duration and the buffered times. Run demo HTMLVideoElement leaks the videoHeight and videoWidth some browsers may also have webkitVideoDecodedByteCount, webkitAudioDecodedByteCount and webkitDecodedFrameCount getVideoPlaybackQuality() leaks the totalVideoFrames. HTMLImageElement leaks the height and width but if the image is invalid they will be 0 and image.
...
October 1, 2020
Measuring the time of JavaScript execution in a browser can give attackers information on when certain events are triggered, and how long some operations take.
Timing the Event Loop # JavaScript’s concurrency model is based on a single-threaded event loop which means it can only run one task at a time. If, for example, some time-consuming task blocks the event loop, the user can perceive a freeze on a page as a result of the UI thread being starved.
...
October 1, 2020
Hybrid Timing Attacks allow attackers to measure the sum of a group of factors that influence the final timing measurement. These factors include:
Network delays Document parsing Retrieval and processing of subresources Code execution Some of the factors differ in value depending on the application. This means that Network Timing might be more significant for pages with more backend processing, while Execution Timing can be more significant in applications processing and displaying data within the browser.
...
October 1, 2020
The id attribute is widely used to identify HTML elements. Unfortunately, cross-origin websites can determine whether a given id is set anywhere on a page by leveraging the focus event and URL fragments. If https://example.com/foo#bar is loaded, the browser attempts to scroll to the element with id="bar". This can be detected cross-origin by loading https://example.com/foo#bar in an iframe; if there is an element with id="bar", the focus event fires. The blur event can also be used for the same purpose 1.
...
October 1, 2020
Another way to measure the network timing of a request consists of abusing the socket pool of a browser 1. Browsers use sockets to communicate with servers. As the operating system and the hardware it runs on have limited resources, browsers have to impose a limit. Run demo (Chrome) Run demo (Firefox)
To exploit the existence of this limit, attackers can:
Check what the limit of the browser is, for example 256 global sockets for TCP and 6000 global sockets for UDP.
...