How does pausing interact with non-same-origin content?

[bzbarsky]

If a site loads a cross-origin frame and then pauses it, is that OK? Has any security analysis been done on this?

[jkarlin]

Added a privacy section to the explainer about this. I don't believe we're exposing any new side-channel resource usage information here (e.g., cpu or network usage of the cross-origin frame) as the same could be determined by loading and unloading the frame, although this is a less-intrusive way to implement it.

[bzbarsky]

I wasn't thinking of side-channel information. My main worry is that you're now able to have content from a different origin permanently frozen (and shown to the user) in an unexpected transient state that would not normally persist. This seems like it could open up new phishing/clickjacking avenues at the very least....

But in general, what I think is needed here is some brainstorming about what kinds of new attacks this opens up. That's what I was asking initially: has such brainstorming happened?

[jkarlin]

Security brainstorming hasn't happened yet, and I agree that it's worth doing. This API is in its infancy.