[whatwg] cross-domain scrollIntoView on frames and iframes

Ian Hickson ian at hixie.ch
Thu Jul 30 16:08:42 PDT 2009

On Sat, 18 Jul 2009, Adam Barth wrote:
> On Fri, Jul 17, 2009 at 4:10 PM, Ian Hickson<ian at hixie.ch> wrote:
> > Suppose that there is a tool where someone can write some text, in which
> > case the text will be displayed when the page is loaded. Suppose that
> > whether the person has written this text is confidential, and that whether
> > one had entered text there or not would reveal something that the user
> > would prefer to keep secret.
> >
> > You could use this API to tell whether or not another user had entered
> > text, by opening an iframe to that page, and then trying to scroll from
> > distance n to distance n+10 many times in a loop, and timing how long it
> > takes to do the scroll. If there is no more content in the page, then
> > scrolling to n and n+10 would take less time than it would if there was
> > more content (since scrolling is slower than doing nothing).
> I suspect you could extract that information more easily by just
> timing the page load:
> http://crypto.stanford.edu/~abortz/papers/timingweb.pdf

Yes, that would be another way of getting this information.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list