Re: [csswg-drafts] Rewrite :visited rules to match reality, based on dbaron's spec.

Now instead of messing with the spec and creating a dirty implementation that works in weird ways (like explained in dbarons blog) why could the standards body not simply remove/deprecate `:visited` or at least move it into a different security profile (such as trusted or local single page applications only).

Then to enable the use case (notify users of a link that has already been visited) browser vendors could implement a tool-tip that is rendered ontop of the canvas not reachable by getComputedStyle, PointerEvents or anything else as it is a OS-tooltip, which would somehow notify the user about the state of visit.

Now this is not the most convenient for users, but it is the most secure.

Another way around this would be security profiles where :visited would always work on urls of the same domain, maybe even across subdomains of the same domain, but never onto foreign domains.

Foreign domains could then implement something like access control origin where they declare which domains would show the users visiting history, users could then accept those shared history suggestions/lists.

While all these are just bits of ideas, I am pretty sure at some point in future dbarons implementation will bite back because some browser API want's to read what's the pure render color below the mouse pointer or whatnot. `:visited` security constraints will be forgotten quickly or ignored by "greater needs".

-- 
GitHub Notification of comment by ionas
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/pull/2105#issuecomment-361884545 using your GitHub account

Received on Wednesday, 31 January 2018 10:09:56 UTC