[jbfoo]

Problem is, that as far as I understand, compiler "fixes" could fix attacked application. So if JavaScript code is exploiting Spectre to read passwords from your keepassx fixes need to be applied to keepassx and not to V8 engine.

(Also probably you can patch V8 interpreter to mitigate this issue, but this is a different story)

[pas]

No, it's V8 that has to make sure the privilige check variable is in L1d cache when the if happens.

KeePass uses HTTP, and by the time it sees the request, it cannot do much if it's valid.

[bennofs]

You would not send requests to keepass in order to leak passwords. Instead, you would try to setup the branch prediction cache in way such that during ordinary execution, keepass will causes cache accesses dependent on secret data b.c. of the code that is speculatively executed due to indirect branch prediction (you setup the branch prediction cache in such a way that it executes your "gadget" to leak things). So yes, assuming you manage to get enough control over the addresses of things in memory via javascript (may be hard, but there are known ways to defeat ASLR via javascript as well), I think you should be able to attack keepass even if V8 fixed it.