[futmacl]

Author here. It's not exactly that; the <img> approach is commonly suggested, but it has some serious limitations (explained in the source code).

Instead, I time <iframe>s, which allows SOP violations to be trapped the moment the browser barely starts thinking about rendering the target page. The other benefit is that <iframe> requests can be aborted quite easily when they are taking long enough for us to suspect cache miss - before the request is completed and cached.

The results should not be fuzzy, although the PoC uses hardcoded timings instead of doing calibration, which makes it a bit tricky with "outlier" clients (very fast or very slow).

I made some minor tweaks today, and the success rate should be greatly improved; there's now a mini-survey on the page, looks like ~90% of the people who bother to complete it are getting accurate results.

[photon_off]

Seems like a good way to calibrate is to have the client cache a file from your targets list (you can cachebust by adding "?some_random_junk" at the end). Then, see how long it takes to get a hit.

Better yet, do this for each target URL. Knowing the time that a miss takes vs. a hit will greatly increase your accuracy.

[simonbrown]

If it loads the page in an iframe, wouldn't future loads give a false positive?

Also, does this work for Google+ (I don't have an account)? I'd be surprised if it did, since it uses X-Frame-Options.

[futmacl]

If you allow the load to complete, yes. But the idea here is to very quickly decide that you're not getting a cached copy, and abort the request (by changing src=) before the browser has a chance to read anything back and figure out what to do with it.