Video of the talk “Front-End Performance: The Dark Side” by Mathias Bynens which he gave at Fronteers Spring Conference 2016 which I attended:
In security-sensitive situations, performance can actually be a bug rather than a feature. This presentation covers timing attacks on the web, and demonstrates how modern performance-related web APIs can sometimes have a negative security impact.
The slides themselves are also available:
The mentioned Facebook timing attack – by which you can get to know private data (such as age, gender, etc.) of a user – was discovered by Tom Van Goethem, a former student of mine. Feel free to read his academic paper “The Clock is Still Ticking: Timing Attacks in the Modern Web” covering the topic.