- From: Lea Verou via GitHub <noreply@w3.org>
- Date: Wed, 10 Sep 2025 14:26:40 +0000
- To: public-css-archive@w3.org
> > As long as they resolve to the same color at any given time, I think it's ok to expose one of them on a broader set of websites than the other > > [@LeaVerou](https://github.com/LeaVerou) could you clarify what you mean by this point? As I understand it, if we limit the exposure of `AccentColor` to installed apps to mitigate the fingerprinting risk, we'd need to limit `accent-color: auto` in the same way in order to guarantee these use the same color in all cases, unless I misunderstand. Or are you saying that if only `accent-color: auto` is used on a page (and that page doesn't apply `AccentColor` anywhere), then we could expose it more fully? And if both are used, restrict both? If so, that also could potentially lead to author confusion in some cases. I’m saying that it should not be possible, in any context, and under any conditions, for the same page to be **visibly** using two different accent colors at the same time. Whether those are obtained by using the `AccentColor` keyword, or setting `accent-color` to something and having native controls adapt. This also applies to `AccentColor` being used in interpolation, relative colors etc. If authors cannot trust that they won't end up in this situation, they simply won't use `AccentColor`, so I think that bare minimum should be a hard requirement. For example, this means: - If `accent-color: auto` resolves to the system accent color, so should `AccentColor` - If `AccentColor` is aliased to some default value, that's what `accent-color: auto` should produce as well. If `accent-color: auto` resolves to the system color in installed apps, and `AccentColor` allows you to read that system color, whereas in non-installed apps both resolve to a default e.g. blue, that's fine, since it still maintains consistency within the page itself. > Or are you saying that if only `accent-color: auto` is used on a page (and that page doesn't apply `AccentColor` anywhere), then we could expose it more fully? I think that's a slippery slope. What are you going to do if e.g. JS reads it later? Flip everything to use blue all of a sudden? --- In *addition* to the point above, my personal vote would go towards exposing the system value in all contexts, but I'm not a privacy expert. <details> <summary>Unpopular opinion</summary> Given that at this point users can be uniquely identified [by the way they type](https://www.typingdna.com/) or their [mouse behavior](https://arxiv.org/html/2208.09061v2) *anyway*, I suspect the battle to conserve bits of entropy in web platform design (with clear ergonomics and capability tradeoffs) is not going to be seen as a worthy goal for much longer. </details> -- GitHub Notification of comment by LeaVerou Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/10372#issuecomment-3275233705 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 10 September 2025 14:26:41 UTC