Re: [css-houdini-drafts] [css-paint-api] CSS Paint API leaks browsing history from Tab Atkins Jr. via GitHub on 2018-08-12 (public-houdini-archive@w3.org from August 2018)

From: Tab Atkins Jr. via GitHub <sysbot+gh@w3.org>
Date: Sun, 12 Aug 2018 17:15:40 +0000
To: public-houdini-archive@w3.org
Message-ID: <issue_comment.created-412357569-1534094139-sysbot+gh@w3.org>

Ugh, nice attack. I don't see a reasonable way around this, and disabling the API on all `<a>` elements or their descendants is not a viable forward tactic.

We really need to finally handle this at the higher level, and censor :visited state *entirely* (not matching `:visited` *at all*) unless the visited state is already observable to the page via a standard channel. I filed <https://github.com/w3c/csswg-drafts/issues/3012> to see if we can solve this in CSS properly.

-- 
GitHub Notification of comment by tabatkins
Please view or discuss this issue at https://github.com/w3c/css-houdini-drafts/issues/791#issuecomment-412357569 using your GitHub account

Received on Sunday, 12 August 2018 17:15:42 UTC