Mitigate Spectre by reducing the resolution of performance.now() to 20 microseconds. Based on: https://hg.mozilla.org/releases/mozilla-release/rev/afa87f9be3a8 For more details, see: https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ This patch was modified to apply cleanly to GNU IceCat. # HG changeset patch # User Tom Ritter # Date 1514660820 21600 # Node ID afa87f9be3a8852da3a30f286b15ae599c7874f6 # Parent 6caa457ebedc915b43dc1d054b8fe22e82ca7447 Bug 1427870 - Change resolution of .now() to 20us. r=bkelly, a=lizzard The comment about workers was introduced in Bug 1186489 but became obsolete some time after that (definitely by Bug 1278838) diff --git a/dom/performance/Performance.cpp b/dom/performance/Performance.cpp --- a/dom/performance/Performance.cpp +++ b/dom/performance/Performance.cpp @@ -234,20 +234,19 @@ Performance::ClearResourceTimings() { MOZ_ASSERT(NS_IsMainThread()); mResourceEntries.Clear(); } DOMHighResTimeStamp Performance::RoundTime(double aTime) const { - // Round down to the nearest 5us, because if the timer is too accurate people - // can do nasty timing attacks with it. See similar code in the worker - // Performance implementation. - const double maxResolutionMs = 0.005; + // Round down to the nearest 20us, because if the timer is too accurate people + // can do nasty timing attacks with it. + const double maxResolutionMs = 0.020; return floor(aTime / maxResolutionMs) * maxResolutionMs; } void Performance::Mark(const nsAString& aName, ErrorResult& aRv) { // Don't add the entry if the buffer is full. XXX should be removed by bug 1159003.