Pete Freitag Pete Freitag

Timing Attacks and the Timing-Allow-Origin Header

Published on October 23, 2019
By Pete Freitag

I've always found Timing Attacks to be an interesting type of web application vulnerability. You need to understand timing attacks before you can understand how to use the Timing-Allow-Origin http response header.

What is a Timing Attack?

Timing attacks can happen when attackers use timing to ascertain information, or perhaps better put, when performance is a bug!

Here is a common timing attack I see often in real code:

if ( isValidUser(username) ) {
    if ( isValidPassword( username, password ) ) {
        return { authenticated: true }
return { authenticated: false };

In the above case an attacker use the response time to determine what usernames are valid. If an invalid username is passed it fails fast. This works well because isValidPassword is probably doing an expensive operation to compute the entered password's hash, and it will take notable amount of time. By comparing the response time of a valid username and an invalid username the attacker can form a list of valid user names.

Other real world timing attacks have taken place that have allowed attackers to figure out the identity (see Twitter Silhouette Attack). On Facebook, it was possible to create a page that had age restrictions setup such that only a 32 year old could view it, by creating a page for each age, and then requesting each one it was possible for another site to tell how old you are.

Mathias Bynens has a great talk on this subject that will help you further understand this topic.

The Timing-Allow-Origin Header

This is a new header, that according to Can I Use has only been around for about a month (September 2019).

The Timing-Allow-Origin header allows you to specify what origins can view the timing data, it needs to be an exact match, so if you want to share the timing data with you can specify:


The spec also allows you to specify a wildcard here:

Timing-Allow-Origin: *

Hopefully you can understand that specifying the * wildcard for the Timing-Allow-Origin is not a good idea, and can open yourself up to cross site timing attacks via the Web Resource Timing API.

security headers

Timing Attacks and the Timing-Allow-Origin Header was first published on October 23, 2019.

If you like reading about security, or headers then you might also like:

Weekly Security Advisories Email

Advisory Week is a new weekly email containing security advisories published by major software vendors (Adobe, Apple, Microsoft, etc).