W3C home > Mailing lists > Public > public-css-archive@w3.org > October 2020

Re: [csswg-drafts] [CSS-COLOR-4] Security/Privacy: Incognito mode (#5553)

From: x-Jake-x via GitHub <sysbot+gh@w3.org>
Date: Thu, 01 Oct 2020 09:02:59 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-701996601-1601542978-sysbot+gh@w3.org>
The concern I described isn't from cross-site scripting, but the site itself loading a malicious color profile. In order to read the color from the screen after using a color keyword, something like the following could be employed: https://jsfiddle.net/fcn9jk3z/

However, the draft specifies using a string giving a color name defined by the color space. The only type of color profile loading that is described is loading an ICC profile, so I assume (possibly incorrectly) at the moment that is the only type of color profile that can be loaded. I do not know what other profiles exist besides this format or how those profiles would describe color names using strings.

I have tried to research, and I could not find any data relating to using color keywords from an ICC profile, or whether an ICC profile is even capable of supporting such keywords. I suppose that particular hypothetical vector must be moot in this case, but I'm glad it was at least explored.

The out-of-gamut mapping issue for a remote resource ICC profile is still a possibility, but I suspect that browsers as user agents will only end up mapping to rgb() (per the example in the jsfiddle), so that type of fingerprinting/profiling is also limited in how many people it could track. I won't go so far as to say that it is completely out of the question though.

GitHub Notification of comment by x-Jake-x
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5553#issuecomment-701996601 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 1 October 2020 09:03:01 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 06:42:20 UTC