W3C home > Mailing lists > Public > public-webapi@w3.org > April 2008

Re: [selectors-api] Handling :link and :visited Pseudo Classes

From: L. David Baron <dbaron@dbaron.org>
Date: Wed, 16 Apr 2008 17:27:46 -0700
To: Ian Hickson <ian@hixie.ch>
Cc: Arve Bersvendsen <arveb@opera.com>, Maciej Stachowiak <mjs@apple.com>, Travis Leithead <travil@windows.microsoft.com>, Lachlan Hunt <lachlan.hunt@lachy.id.au>, public-webapi <public-webapi@w3.org>
Message-ID: <20080417002746.GA15562@ridley.dbaron.org>

On Wednesday 2008-04-16 22:41 +0000, Ian Hickson wrote:
> On Wed, 16 Apr 2008, L. David Baron wrote:
> > On Wednesday 2008-04-16 23:26 +0200, Arve Bersvendsen wrote:
> > > Also note that it is impossible to protect against Anne's suggested exploit 
> > > where you load a randomized and unique tracker image as background or 
> > > content for visited links, and do the data collection serverside instead.
> > 
> > It's not impossible; it just requires deviations from current standards 
> > and probably a lot of work.
> Actually that one's trivial -- just load all background images 
> optimistically.

I was referring to the general problem.

For example, if background images were allowed, it would likely be
possible to do timing attacks based image vs. no image, based on
images with vs. without transparency, or based on tiling of large
vs. small images, etc.


L. David Baron                                 http://dbaron.org/
Mozilla Corporation                       http://www.mozilla.com/
Received on Thursday, 17 April 2008 00:28:51 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 17 April 2008 00:28:54 GMT