Re: malicious JavaScript within a web browser tab
"Hardly requires an attacker to have a foothold on ones machine to proceed."
Only because JavaScript has access to high precision timers. Somewhere north of 90% of JS code has no need for microsecond timing. The easy fix is to disable HR timers (performance.now, hrtime() from Node.js, etc.) in the JavaScript engine by forcing the maximum timer precision to 100 ms or so, (something longer than the OS time slice) making a timing attack from JavaScript very impractical, if not impossible. It could of course easily be made optional, so that those who dared enabled HR timers could still play their JavaScript games. A timing attack would indeed then require a foothold on ones machine.