W3C home > Mailing lists > Public > public-css-archive@w3.org > December 2017

Re: [csswg-drafts] [css-scrollbars-1]

From: Nadya678 via GitHub <sysbot+gh@w3.org>
Date: Wed, 27 Dec 2017 22:47:28 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-354189711-1514414847-sysbot+gh@w3.org>

Security problem of the css-scrollbars-1 @ 14 Nov 2107 draft:
ThreeDFace, ThreeDDarkShadow etc. can be used to detect user colour composition in OS. If user has set non-standard composition in their OS (for example Windows Classic in Windows 8.1, extended personalized themes etc.), the browser will inherit these colours and in computed values or copied area (with JavaScript both) the real colour values of these 8 values. There may be tracked 8 colours (each of them having three 0..255 values) and additionally there is able to track original width and height of scrollbar. **There is 25-byte length identifier that can be unique and help to thrack the user!** It is strong impact for privacy and security. 

Thus: the standard width/height of scrollbar shall be standarized to 17px (it is the most often value), the colours of each pseudoelement of scrollbar also shall be standarized for PC browsers ans smartphones. Web-developers shall be possible to mainpulate these values but shall bot be able to read colours of OS composition. 

If the ThreeDDarkShadow etc. are used in any workind draft/recommendation, PLEASE define standard values for them. For example ThreeDDarkShadow ::= #808080 (I propose grayscale for them). 


GitHub Notification of comment by Nadya678
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/2007#issuecomment-354189711 using your GitHub account
Received on Wednesday, 27 December 2017 22:47:29 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 06:41:21 UTC