timing oracle for rendezvouz circuits
Since CORS headers can only be determined after a request is performed, by measuring the time to failure on a series of cross-domain requests and observing the difference between the time-to-failure on the first and subsequent requests we could determine if a user has an already established circuit with a given rendezvous website.
While the timing on performance is quite coarse, it is sufficient to detect the build time of a rendezvous circuit. If the subsequent requests consistently take the same time as the initial request it could be inferred that the user already had a circuit established to the onion address being tested by the XMLHTTPRequest.
The measurement capabilities are very weak given that the sample set of the initial connection can only be 1, as such this attack is not very reliable.