- From: Deian Stefan via GitHub <sysbot+gh@w3.org>
- Date: Tue, 14 Aug 2018 19:19:53 +0000
- To: public-css-archive@w3.org
> though it's not clear to me how important it is given the low rate of information leakage. (For example, if we worry about that... should we also worry about blocking exfiltration of data about the user's mouse movements, finger touches, or scrolling rate while reading text, from which one could infer a good bit about the user's reaction to the text? In other words, where is the limit of what the browser is responsible for blocking?) I think there is a distinction between the channels you mention. In particular, as the attacker I don't need to snoop on the event loop to learn history data from a different context. (Arguably this will remain a challenge even with Tab's proposal and not something I think we need to (yet) tackle.) Today, I can just perform the computation on sensitive data myself and sniff your history. -- GitHub Notification of comment by deian Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/3012#issuecomment-412985842 using your GitHub account
Received on Tuesday, 14 August 2018 19:20:01 UTC