Re: [css-color][filter-effects] (was: Re: [filter-effects] Tainted filter primitives) from Tab Atkins Jr. on 2013-12-13 (www-style@w3.org from December 2013)

From: Tab Atkins Jr. <jackalmage@gmail.com>
Date: Fri, 13 Dec 2013 14:47:31 -0800
To: "Robert O'Callahan" <robert@ocallahan.org>
Cc: Dirk Schulze <dschulze@adobe.com>, public-fx <public-fx@w3.org>, www-style <www-style@w3.org>
Message-ID: <CAAWBYDCxnqf+z1svYFWMqGGER_ZHCWNiXAunT03QJp8x-1Wmog@mail.gmail.com>

On Fri, Dec 13, 2013 at 1:48 PM, Robert O'Callahan <robert@ocallahan.org> wrote:
> On Sat, Dec 14, 2013 at 8:11 AM, Tab Atkins Jr. <jackalmage@gmail.com>
> wrote:
>> That's silly.  There's no reason to break currentcolor just because
>> :visited is being used.  Plus, depending on implementation strategy,
>> actually getting the sanitized color is expensive (as you have to
>> rerun style matching, excluding all rules with :visited in their
>> selectors).
>
> FWIW, it's essential that getting the sanitized value be exactly as
> expensive as getting the regular value. Otherwise you open yourself to
> timing attacks.

Bah, that's true.  That means tracking two values for anything that
needs sanitization, unfortunately.

~TJ

Received on Friday, 13 December 2013 22:48:19 UTC