Excel Online team also believes COI requirement is not needed for this API.
After deep discussions on that decision we came to understanding that the API does not expose any new vulnerability to time channel attack as the timings from the API output is the same as perfromance.now(after the clamping obviously).
Further more the sampling interval of the profiler is in millisecond resolution as well, so again nothing new is exposed here.
@acomminos, if you agree on the timing concern, can we update this part(https://wicg.github.io/js-self-profiling/#privacy-security) in the spec to reflect our agreement on this understanding.
Another aspect when requiring COI is avoiding leaking information form cross-origin scripts.
However this is already being handled inside the API by avoiding function names introspection if the script is from different origin and did not provided CORS header, just as in error.callstack AFAIU.
Therefore we are clear here as well.
Taking those points into account we strongly believe that the COI in this case is redundant.
fendoodelish
commented
3 months ago
After deep discussions on that decision we came to understanding that the API does not expose any new vulnerability to time channel attack as the timings from the API output is the same as perfromance.now(after the clamping obviously).
Further more the sampling interval of the profiler is in millisecond resolution as well, so again nothing new is exposed here. @acomminos, if you agree on the timing concern, can we update this part(https://wicg.github.io/js-self-profiling/#privacy-security) in the spec to reflect our agreement on this understanding.
Another aspect when requiring COI is avoiding leaking information form cross-origin scripts. However this is already being handled inside the API by avoiding function names introspection if the script is from different origin and did not provided CORS header, just as in error.callstack AFAIU. Therefore we are clear here as well.
Taking those points into account we strongly believe that the COI in this case is redundant.
Thanks.
Originally posted by @magenish in https://github.com/WICG/js-self-profiling/issues/41#issuecomment-846522442