[whatwg] cross-domain scrollIntoView on frames and iframes

Adam Barth whatwg at adambarth.com
Sat Jul 18 16:12:23 PDT 2009


On Fri, Jul 17, 2009 at 4:10 PM, Ian Hickson<ian at hixie.ch> wrote:
> Suppose that there is a tool where someone can write some text, in which
> case the text will be displayed when the page is loaded. Suppose that
> whether the person has written this text is confidential, and that whether
> one had entered text there or not would reveal something that the user
> would prefer to keep secret.
>
> You could use this API to tell whether or not another user had entered
> text, by opening an iframe to that page, and then trying to scroll from
> distance n to distance n+10 many times in a loop, and timing how long it
> takes to do the scroll. If there is no more content in the page, then
> scrolling to n and n+10 would take less time than it would if there was
> more content (since scrolling is slower than doing nothing).

I suspect you could extract that information more easily by just
timing the page load:

http://crypto.stanford.edu/~abortz/papers/timingweb.pdf

Adam



More information about the whatwg mailing list