- From: Tab Atkins Jr. via GitHub <sysbot+gh@w3.org>
- Date: Fri, 02 Oct 2020 21:10:42 +0000
- To: public-css-archive@w3.org
> The concern I described isn't from cross-site scripting, but the site itself loading a malicious color profile. In order to read the color from the screen after using a color keyword, something like the following could be employed: I believe you're describing a persistent-identifier attack, smuggled via the browser's cache for the referenced color-profile file, right? Deliver a detectably-unique ICC file to each user, then later check the results to see if it's a previously-detected user. Given that this depends on a malicious script *and* ICC file, tho, how is this different from just sending a unique *script file* with a user identifier in it? Cache-clearing should wipe out both of these anyway, right? -- GitHub Notification of comment by tabatkins Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5553#issuecomment-702959464 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 2 October 2020 21:10:44 UTC