"Since the result isn't an image, the onerror callback of the image is triggered in both cases, but we can record how long it takes from image instantiation to triggering of the onerror. This time will be greater when the document is accessible. In my experiments, loading took an average of 891ms when the document was available, but 573ms when it was not," Cantino said.
"I don't really disagree with them— this is hard to fix, and fairly theoretical," said Cantino, who previously had been awarded a bug bounty from Google multiple times. "Still, I think this is an interesting example of a timing attack, and shows how hard these sorts of issues can be to avoid."