[csswg-drafts] [css-values-4] Privacy concern around URL interpolation. (#6840) from Oliver Brotchie via GitHub on 2021-11-28 (public-css-archive@w3.org from November 2021)

From: Oliver Brotchie via GitHub <sysbot+gh@w3.org>
Date: Sun, 28 Nov 2021 09:55:22 +0000
To: public-css-archive@w3.org
Message-ID: <issues.opened-1065287471-1638093320-sysbot+gh@w3.org>

OliverBrotchie has just created a new issue for https://github.com/w3c/csswg-drafts:

== [css-values-4] Privacy concern around URL interpolation. ==
As discussed in [CSS fingerprinting](https://github.com/OliverBrotchie/CSS-Fingerprint), allowing [interpolation of variables into URLs](https://www.w3.org/TR/css-values-4/#url-modifiers) will make fingerprinting attacks extremely scalable as it dramatically reduces the large number of requests per user that is required currently - the main limiting factor on the wide-scale adoption of this technique.

I understand that the default position on CSS security is that running untrusted CSS is inherently unsafe ([#5092](https://github.com/w3c/csswg-drafts/issues/5092#issue-621357518), [#2426](https://github.com/w3c/csswg-drafts/issues/2426#issue-303665356), [#2339](https://github.com/w3c/csswg-drafts/issues/2339)), however, I think it would be best to raise this as an issue nonetheless. 

Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/6840 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Sunday, 28 November 2021 09:55:24 UTC