>Adding to what Tom said... > >1. "Web developers want the ability to observe the performance >characteristics of their applications" - they want to do so, but >*should* they be allowed to do so? The API would give access to deep >performance data that could be used for all sorts of nefarious purposes >(profiling, fingerprinting, probing for vulnerabilities, etc.).
The extreme version of this is what Vlad and Benoit (Facebook) have proposed in WICG, which is an interface to profiling data for the page (origin): https://github.com/vdjeric/js-self-profiling Discussion (mozilla) here: https://github.com/mozilla/standards-positions/issues/92 One can understand why they'd *want* to be able to profile their code in-the-field. Exposing this today would be have serious same-origin and Spectre impacts; in a Fission world these problematic impacts would be (more) limited though perhaps not "safe". (Implied in the current Gecko Profiler impl is that other processes could affect how fast your origin's process runs, and thus how much progress is made between profiler 'ticks',leading to some leakage of information cross-orgin between processes. How large an impact this is I'm not 100% sure at this point. If we changed sampling to be runtime-based instead of wallclock-based, this (mostly) hides the impact of other processes, though secondary effects still exist (cache impacts, etc). Making it runtime-based would be a largish change... -- Randell Jesup, Mozilla Corp remove "news" for personal email _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
