W3C home > Mailing lists > Public > public-houdini@w3.org > February 2015

Re: Proposal for adding @extend to CSS

From: Tab Atkins Jr. <jackalmage@gmail.com>
Date: Tue, 3 Feb 2015 19:06:37 -0800
Message-ID: <CAAWBYDC8X8EfVt72vomqN2jXrC=6w7TbYhN46MaPZyAdF6guSQ@mail.gmail.com>
To: Michiel Bijl <michiel@agosto.nl>
Cc: Fran├žois REMY <francois.remy.dev@outlook.com>, "public-houdini@w3.org" <public-houdini@w3.org>
On Mon, Feb 2, 2015 at 3:15 AM, Michiel Bijl <michiel@agosto.nl> wrote:
> What exactly is the (security) issue with a:visited?

You can style links differently with :visited, produce a bunch of
links, and check their styles, which lets you tell which sites the
user has visited recently.  This is a privacy violation, and makes it
easier to, for example, phish effectively, since you can tell which
bank the user visits, etc.

To limit this, browsers limit rules containing a :visited pseudoclass
to only be able to apply a handful of styles (nothing that causes
network requests, or that changes layout in an observable way; you can
pretty much only do color and text-decoration), and whenever you do
getComputedStyle(), they lie and claim all links are unvisited while
computing the style, so you can't even tell when directly querying the

> Are their any thoughts on how one could make this backwards compatible-ish? Something like flex box can be used fairly safe, but something like @extend would be a lot harder I feel. Any thoughts?

You use a preprocessor.  Native @extend gives you slightly richer/more
complete semantics than preprocessor @extend, but it's close enough to
work most of the time (according to Natalie, the lead maintainer of

Received on Wednesday, 4 February 2015 03:07:24 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 February 2015 15:47:05 UTC