[throwaway_n]

Can't we just show a "This site may harm your computer" message whenever a site is recording too much timing data? The page is justifiably considered malware at that point.

For example there's nothing preventing someone from timing all my keyboard events for keystroke biometrics: https://en.wikipedia.org/wiki/Keystroke_dynamics

[maxyme]

Consider the requestAnimationFrame API. It will give you a 60hz timer (even higher on high refresh rate displays) but is used for a ton of animation related tasks as well as games. That said it effectively can be used as a timer which in this case would likely be precise enough.

What do you do in the case where a ton of website's use this API for legitimate animations?