W3C home > Mailing lists > Public > www-style@w3.org > August 2010

Re: NodeSelector, :visited, and :link

From: Brad Kemper <brad.kemper@gmail.com>
Date: Wed, 25 Aug 2010 23:50:08 -0700
Message-Id: <76A046A7-8237-4B8D-AA50-985B00F9B832@gmail.com>
Cc: Alan Gresley <alan@css-class.com>, Boris Zbarsky <bzbarsky@mit.edu>, Patrick Garies <pgaries@fastmail.us>, www-style <www-style@w3.org>
To: Garrett Smith <dhtmlkitchen@gmail.com>

On Aug 25, 2010, at 10:42 PM, Garrett Smith <dhtmlkitchen@gmail.com> wrote:

> On 8/25/10, Brad Kemper <brad.kemper@gmail.com> wrote:
>> 
>> 
>> On Aug 25, 2010, at 9:25 PM, Garrett Smith <dhtmlkitchen@gmail.com> wrote:
>> 
>>>> This is a security issue. Servers can track a computer's personal
>>>> browsing history by using attribute selectors together with :visited
>>>> or server side scripts (for which I have little knowledge) and :visited.
>>>> 
>>>> 
>>> And?
>> 
>> And then construct a very convincing phishing attack because they know what
>> bank you use and what products you showed interest in there.
> It seems that you're imparting commentary on the parts of the spec
> that I cited earlier. Did you read that message? You also seem to be
> missing the point of my post, though it's not so easy to determine if
> that is the case because you've not really stated a position. A la
> Alan's post.
> 
> Please do read all other messages in this thread.

I had been, but I hadn't memorized who said what. Sorry about that  And so when you replied to Alan whit a single word question, I guessed at what point you were questioning, which seemed to be the importance of the security issue he pointed out (as that was the apparent point of HIS post). 

If "and?" was instead intended to mean "and given that it is a serious security issue, then why not address my earlier point about making the moe secure behavior required instead of optional,", then I'd say one reason is that not all UAs are Web browsers. For instance, for an HTML-based help system, authored entirely by a controlled OS team, and unable to browse the Web, it might be more important to be able to differentiate responses based on what help files you've already seen, than to deal with a threat that doesn't really apply to it in it's limited scope. 
Received on Thursday, 26 August 2010 06:51:31 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 17:20:30 GMT