- From: CSS Meeting Bot via GitHub <sysbot+gh@w3.org>
- Date: Thu, 03 Dec 2020 00:37:16 +0000
- To: public-css-archive@w3.org
The CSS Working Group just discussed `[css-pseudo] Privacy considerations for external resources`. <details><summary>The full IRC log of that discussion</summary> <dael> Topic: [css-pseudo] Privacy considerations for external resources<br> <dael> github: https://github.com/w3c/csswg-drafts/issues/5731<br> <dael> TabAtkins: rune realized that the spec for spelling-error grammar-error and related pseudo has privacy bits about not detecting spelling dictionary<br> <hober> q+<br> <dael> TabAtkins: As written spec allows you to load a bg image which would allow trigger os spelling errors. He proposes we disallow loading of external resources for styling on spelling and grammar errors<br> <dael> florian: Existing definition of external resources?<br> <Rossen_> q<br> <dael> TabAtkins: Probably not one we can link to<br> <dael> TabAtkins: I think it's reasonable to gloss over for now<br> <dael> florian: Thinking of things like data urls. If there's an existing definition we can work from it would be nice<br> <jyasskin> q+<br> <Rossen_> ack hober<br> <dael> hober: We already have visited. We do a lot of restrictions on what can do on visited including loading of external resources. Why not limit in same way?<br> <dael> TabAtkins: I believe visited excludes loading other backgrounds. Okay witht hat restriction even if more than we need.<br> <jyasskin> q+ to mention Spectre<br> <dael> hober: I think consistency is valuable. Even if it's a little more it simplifies model<br> <dael> fantasai: Isn't visited underdefined<br> <dael> TabAtkins: Some of details yes but what properties is well defined.<br> <dael> fantasai: I think a lot of your ideas were in a PR we couldn't merge<br> <dael> TabAtkins: That was about how we apply them, not what properties<br> <florian> q?<br> <Rossen_> ack jyasskin<br> <Zakim> jyasskin, you wanted to mention Spectre<br> <dholbert> q+<br> <dael> jyasskin: Wanted to ask how much worrying about Specter which can detect color changes. I've heard about particioning visited whoch wouldn't work for spelling<br> <fantasai> TabAtkins, https://drafts.csswg.org/selectors-4/#link doesn't seem to have any details<br> <dael> florian: Both are fingerprinting risk but data from visited is more valuble. If it's easy to be consistent that's interesting. but more important to hide visited<br> <dael> s/Specter/Spectre<br> <dholbert> https://developer.mozilla.org/en-US/docs/Web/CSS/Privacy_and_the_:visited_selector is relevant (to the extent that it's accurate, which I think it is?)<br> <dael> florian: I'm saying it's related. We're less worried about the attack then on visited<br> <dael> florian: I think this is privacy sensitive only b/c fingerprinting. visited is privacy not just fingerprinting but the actual data. Protecting the data itself is relevent on visited. I don't think it is here.<br> <Rossen_> ack dholbert<br> <fantasai> s/more valuble/itself valuable independently of fingerprinting/<br> <dael> dholbert: I think visited restrictions could be problematic here. afaict it just limits you to properties that control colors and wouldn't allow add/remove underline which is main thing you want with spelling/grammar. It limits you to a couple properties and doesn't say you can't use external<br> <Rossen_> q?<br> <TabAtkins> Yeah, you're right fantasai, we don't actually have the list in the spec, I was misremembering<br> <dael> Rossen_: What do we do with this<br> <dael> fantasai: I think we can't align with visited. Current definition is the UA can do stuff to hide the visited-ness of the link. There's no details.<br> <dael> fantasai: We can be more precise here and say not loading external resources<br> <dael> fantasai: I can draft up wording what you can do stuff to preserve privacy such as not loading external resources and then we can have a more complete definition in the future that's general and we link to it<br> <dael> florian: wfm<br> <dael> Rossen_: Other opinions?<br> <dael> Rossen_: Is there a 1 line resolution we need?<br> <dael> Rossen_: Or continue in thread<br> <dael> hober: Depends on the text<br> <dael> fantasai: I'll draft up text and we can come back<br> </details> -- GitHub Notification of comment by css-meeting-bot Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5731#issuecomment-737582464 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 3 December 2020 00:37:19 UTC