[vwuon]

>When you visit my page I load www.forum.example/moderators/header.css and see if it came from cache.

Why can your page know if a certain resource came from cache? Can't that hole be plugged, instead?

[kccqzy]

Just measure the time it takes to load the resource.

[Semaphor]

Timing attacks. Not really pluggable.

[mindslight]

It's eminently pluggable if you stop running hostile general-purpose code on our own machines, giving it a large poorly-defined attack surface! That's the eventual answer here. Websites have a perfectly cromulent place to run whatever code they'd like - on their own servers. If you knew someone was trying to kill you, you wouldn't invite them into your home for a party so they could easily tamper with your medicine cabinet.