W3C home > Mailing lists > Public > public-css-archive@w3.org > January 2021

Re: [csswg-drafts] [css-pseudo] Privacy considerations for external resources (#5731)

From: Arthur Sonzogni via GitHub <sysbot+gh@w3.org>
Date: Mon, 11 Jan 2021 14:04:59 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-757972464-1610373898-sysbot+gh@w3.org>
Within  ::spelling-error and ::grammar-error, the CSS property 'cursor' with the url(..) value would give a way to exfiltrate user's dictionnary.
I agree this value should be removed/ignored.

You said data-url might be an allowed exception. Are we sure there are no ways to know a data-url request was made?
1. Resource timing API: I did some local testing and also asked Yoav Weiss. Those are excluded.
2. Service worker: I believe from memory those are never allowed to serve a data-url.
3. The new performance.measureMemory(): It's a bit far fetched, but I guess some inference seems possible. Displaying the image would consume some memory.

Being able to customize the cursor for grammar errors seems a niche use case. Removing this shouldn't hurt, right?

-- 
GitHub Notification of comment by ArthurSonzogni
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5731#issuecomment-757972464 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 11 January 2021 14:05:01 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 06:42:25 UTC