User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0 Build ID: 20151111004055 Steps to reproduce: let img=new Image(); img.addEventListener("load",console.log.bind(console),true); img.src="https://www.google.com/images/nav_logo.png";//see timeStamp Actual results: It is possible to measure time it takes to load different content from foreign resources, which allows timing attacks like https://github.com/diracdeltas/sniffly . Expected results: You mustn't be able to measure time it takes to load crossdomain resources. Because even if we block time api in the callback, it could be possible to create own timestamper, I suggest to artifically increase time to std distributed random value with mean=(average ping+size/average inet speed (among all the users of ff, this value is the same for everybody) ) and mse=(size/(3 inet speed)). Why not just use the same for everybody? Because it will allow to reliably distinguish between the case when the file is loaded longer than average time.

Thank you for reporting this issue! We have already a bug on file, so let's keep the discussion in one place :)