A timing attack with CSS selectors and JavaScript

&gt; Have you ever encountered a website that runs jQuery(location.hash)?<p>No. Actually I have never seen a website do that. What sites do that? What is the actual use of grabbing an element that has an ID that matches the URL hash?<p>And this attack will only work on those sites.<p>This is just one more variation of the best practice: don&#x27;t trust user&#x2F;client supplied data.<p>Edit: Though academically I actually find how this was implemented to be really interesting. I&#x27;m just not sure what uses it would have in the wild.

I don&#x27;t understand the point of this. What elements will a timing attack work against that you can&#x27;t read the value from directly? I didn&#x27;t notice any discussion of this in the article.<p>Edit: I see how this works. It will allow you to exfiltrate data from 3rd party websites that pass the URL hash into jQuery. An interesting idea but limited in scope.

Cool hack.<p>May be it is time for browsers to disable iframes by default and ask the end user if they want to run them via the standard browser confirmation mechanisms site by site.

I would have thought Chrome&#x27;s site isolation would prevent this. Not enabled in the author&#x27;s chromium build, or not helping for some reason?

This is a good time to shill NoScript. If your browser runs JavaScript automatically, then you are putting your privacy and safety at risk.

Why does the RSS link on that website link to feedly.com instead of the feed directly? Weird.