The new requestAnimationFrame API can be used to time browser rendering operations and infer sensitive data based on timing data. The first technique allows the browser history to be sniffed by detecting redraw events. The second part of the paper shows how SVG filters are vulnerable to a timing attack that can be used to read pixel values from a web page. This allows pixels from cross-origin iframes to be read using an OCR-style technique to obtain sensitive data from websites.
Pixel Perfect Timing Attacks with HTML5
This paper describes a number of timing attack techniques that can be used by a malicious web page to steal sensitive data from a browser, breaking cross-origin restrictions.
