Which timing attack involves sending crafted request packets to the website using JavaScript?

Timing attacks use measurable differences in how long a system takes to respond to crafted inputs to infer information about its behavior or data. When this is done across sites, a page hosted on an attacker’s site uses JavaScript in a victim’s browser to send requests to the target website and to time how long those requests take to respond. The browser can’t reveal the content due to same-origin policy, but subtle timing differences in authentication checks, resource handling, or error messages can leak clues about the target’s state or data. This cross-origin setup—where the attacking code runs on one site and issues requests to another site through the victim’s browser—is what makes it a cross-site timing attack. Other terms don’t fit this scenario as precisely, since they describe broader or different contexts, whereas cross-site timing attack specifically captures the cross-origin timing channel created by JavaScript.