Inferring private data via cross-origin execution timing.
The Vulnerability: Even when CORS prevents a malicious site from reading an API's JSON response, the browser still executes the network request. If the server takes a different amount of time to process a "Hit" versus a "Miss", the attacker can measure that difference using performance.now().
State Inference: By systematically querying keywords, an attacker can determine if the logged-in user has access to "project_x" or possesses "confidential" documents, purely based on response latency.
SameSite=Lax or Strict prevents the browser from sending the user's session cookie during the cross-origin request, making the timing attack measure the unauthenticated state.