W3C home > Mailing lists > Public > public-css-archive@w3.org > October 2020

Re: [csswg-drafts] [CSS-COLOR-4] Security/Privacy: Incognito mode (#5553)

From: Tab Atkins Jr. via GitHub <sysbot+gh@w3.org>
Date: Fri, 02 Oct 2020 21:10:42 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-702959464-1601673040-sysbot+gh@w3.org>
> The concern I described isn't from cross-site scripting, but the site itself loading a malicious color profile. In order to read the color from the screen after using a color keyword, something like the following could be employed:

I believe you're describing a persistent-identifier attack, smuggled via the browser's cache for the referenced color-profile file, right? Deliver a detectably-unique ICC file to each user, then later check the results to see if it's a previously-detected user.

Given that this depends on a malicious script *and* ICC file, tho, how is this different from just sending a unique *script file* with a user identifier in it? Cache-clearing should wipe out both of these anyway, right?

GitHub Notification of comment by tabatkins
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5553#issuecomment-702959464 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 2 October 2020 21:10:44 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 06:42:20 UTC