W3C home > Mailing lists > Public > public-css-archive@w3.org > October 2020

Re: [csswg-drafts] [CSS-COLOR-4] Security/Privacy: Incognito mode (#5553)

From: Tab Atkins Jr. via GitHub <sysbot+gh@w3.org>
Date: Tue, 06 Oct 2020 17:15:53 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-704424447-1602004552-sysbot+gh@w3.org>
Note that reading out a computed color in some colorspace has nothing to do with CSS's `:visited` history leak. That's a completely unrelated (and still quite annoying, sigh) problem.

Also, we're certain to grow Houdini APIs to let you convert between colorspaces, and I don't see a reason a priori why we wouldn't want to let custom colorspaces work in that as well.


Again, this is nothing more than a persistent-identifier-via-caching attack, right?  Is it anticipated that we will, in general, require substantial mitigations to ensure that these can't be observed (when possible), or are we just relying on the "cache gets cleared, we're cool" defense? So long as cache-clearing *does* wipe this out, this seems to offer zero new attack surface above a cached script or stylesheet.

If that's all we're worried about, then I don't think this needs further discussion; the referenced file is persisted in your browser cache per standard resource caching rules, and is cleared in the same way.

GitHub Notification of comment by tabatkins
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5553#issuecomment-704424447 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 6 October 2020 17:15:55 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 06:42:20 UTC