Re: [csswg-drafts] [selectors] :link and :visited are not mutually exclusive in implementations from Emilio Cobos Álvarez via GitHub on 2017-12-06 (public-css-archive@w3.org from December 2017)

From: Emilio Cobos Álvarez via GitHub <sysbot+gh@w3.org>
Date: Wed, 06 Dec 2017 00:50:10 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-349492242-1512521406-sysbot+gh@w3.org>

> Apply all :link rules and, for allowed properties, also apply all :visited rules (at the same time).

As I understand it, assuming you only apply `:visited` rules to actually visited links (which per your description looks like it), your behavior can be prone to timing attacks.

At least Gecko cascades and selector-matches both visited and unvisited rules _regardless_ of whether the link was actually visited in the first place, to prevent this kind of issues. If I'm not wrong, I should be able to query history in edge adding very expensive selectors to the `:visited` rules, and observing the time difference it takes to style a link vs another.

-- 
GitHub Notification of comment by emilio
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/2037#issuecomment-349492242 using your GitHub account

Received on Wednesday, 6 December 2017 00:50:12 UTC