https://www.arturjanc.com/cross-origin-infoleaks.pdf … by @mikewest and @arturjanc is an excellent read.
Question though, RE:Pixel Perfect. The mitigation of "Don't apply filters cross-origin" isn't mentioned. Safari does this. Does Google have any telemetry on this usage?
Mike might know if Chrome has UMA for this. I would love to break cross-origin filters, and it would definitely help; however, my guess is that there are some other timings if you can render on top of cross-origin images, so I'm not sure if it would fully fix this class of bugs.