W3C home > Mailing lists > Public > www-style@w3.org > October 2011

Re: [css-shaders] security - timing attacks

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Fri, 21 Oct 2011 02:06:57 +0200
To: "Gregg Tavares (wrk)" <gman@google.com>
Cc: www-style list <www-style@w3.org>
Message-ID: <ond1a7tm4csos4p85moerpc057md4j2va3@hive.bjoern.hoehrmann.de>
* Gregg Tavares (wrk) wrote:
>On Thu, Oct 20, 2011 at 4:06 PM, Dean Jackson <dino@apple.com> wrote:
>> I think that's the key here. A CSS shader (or even any CSS filter really)
>> should not get any cross-domain iframe content as input.
>
>Even without that you can spy on a user's link history by checking his
>"visited" colors using this method.

This would seem to be defeated by considering links unvisited for the
purposes of shader input, like they are considered unvisited for many
other purposes in browsers that try to protect against history leaks,
even if that doesn't seem terribly convenient to implement.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Friday, 21 October 2011 00:07:25 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 17:20:45 GMT