timing oracle for rendezvouz circuits
The performance and XMLHTTPRequest javascript APIs provide a toolset sufficient enough to measure for the existence of previously established rendezvous circuits.
Since CORS headers can only be determined after a request is performed, by measuring the time to failure on a series of cross-domain requests and observing the difference between the time-to-failure on the first and subsequent requests we could determine if a user has an already established circuit with a given rendezvous website.
While the timing on performance is quite coarse, it is sufficient to detect the build time of a rendezvous circuit. If the subsequent requests consistently take the same time as the initial request it could be inferred that the user already had a circuit established to the onion address being tested by the XMLHTTPRequest.
The measurement capabilities are very weak given that the sample set of the initial connection can only be 1, as such this attack is not very reliable.