- From: Arthur Sonzogni via GitHub <sysbot+gh@w3.org>
- Date: Mon, 11 Jan 2021 14:04:59 +0000
- To: public-css-archive@w3.org
Within ::spelling-error and ::grammar-error, the CSS property 'cursor' with the url(..) value would give a way to exfiltrate user's dictionnary. I agree this value should be removed/ignored. You said data-url might be an allowed exception. Are we sure there are no ways to know a data-url request was made? 1. Resource timing API: I did some local testing and also asked Yoav Weiss. Those are excluded. 2. Service worker: I believe from memory those are never allowed to serve a data-url. 3. The new performance.measureMemory(): It's a bit far fetched, but I guess some inference seems possible. Displaying the image would consume some memory. Being able to customize the cursor for grammar errors seems a niche use case. Removing this shouldn't hurt, right? -- GitHub Notification of comment by ArthurSonzogni Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5731#issuecomment-757972464 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 11 January 2021 14:05:01 UTC