High Resolution Time is the spec that defines performance.now(), a precise and monotonic clock for Web apps. It is republished as Candidate Recommendation by the Web Perf WG as it has needed a substantive update: the clock was too precise (!) w3.org/TR/2018/CR-hr-time-2-…
This tweet is unavailable
1
1
Indeed, the #Spectre and #Meltdown attacks revealed early January can be exploited in browsers - since these attacks rely on precise timing, reducing the precision of performance.now() was quickly identified as a way to reduce the risks of exploitation
1
1
1
The updated specification thus no longer suggests a minimum level of accuracy. There is still ongoing discussion on what the new recommendation should be github.com/w3c/hr-time/issue…
1
In particular, @mdrejhon has been expressing detailed concerns about the impact of reduced accuracy for some use cases (e.g. gaming). If you have ideas or concerns, head to the github repo github.com/w3c/hr-time/
1
1
1
2
There are more to addressing #Spectre and #Meltdown than just reducing timers accuracy. The various browser vendors have started reporting on the work they see ahead of them

Mar 1, 2018 · 12:55 PM UTC

2
See @firefox approach to reducing the risks associated with #Spectre and #Meltdown blog.mozilla.org/security/20…
1
.@webkit 's approach on #Spectre and #Meltdown webkit.org/blog/8048/what-sp…
1
.@MSEdgeDev 's approach on #Spectre and #Meltdown blogs.windows.com/msedgedev/…
1
.@googlechrome 's approach on #Spectre and #Meltdown developers.google.com/web/up…
And find out more about #Spectre and x-origin leaks in this recently published analysis from @arturjanc and @mikewest
Artur Janc @arturjanc
15 May 2018
If you care about web-based exploitation of Spectre and the problem of cross-origin information leaks in general, you may want to read this small doc: arturjanc.com/cross-origin-i… (co-written with the sublimely eloquent @mikewest)
1