Re: [csswg-drafts] Wide review of Selectors 4 (#13469) from Chris Lilley via GitHub on 2026-02-09 (public-css-archive@w3.org from February 2026)

From: Chris Lilley via GitHub <noreply@w3.org>
Date: Mon, 09 Feb 2026 16:44:58 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-3872823451-1770655496-noreply@w3.org>
-  **What information does this feature expose, and for what purposes?** 
    - The [:visited](https://www.w3.org/TR/2026/WD-selectors-4-20260122/#visited-pseudo) pseudo-class can expose information about which sites a user has previously visited, if the UA is not careful to screen from scripting any information that would reveal which elements match it. This is further discussed in [Appendix C: Example Privacy-Preserving `:visited`  Restrictions](https://www.w3.org/TR/2026/WD-selectors-4-20260122/#visited-privacy)
    - The [:autofill](https://www.w3.org/TR/2026/WD-selectors-4-20260122/#selectordef-autofill) pseudo-class can expose whether a user has interacted with this form before; however the same information can be derived by observing how quickly the form is filled out. 
-  **Do features in your specification expose the minimum amount of information necessary to implement the intended functionality?** 
    - Yes, we believe so
-  **Do the features in your specification expose personal information, personally-identifiable information (PII), or information derived from either?** 
    - Yes, in some cases. See [CSS Data Exfiltration](https://dev.to/matemiller/css-data-exfiltration-1p3l) and [Blind CSS Exfiltration: exfiltrate unknown web pages](https://portswigger.net/research/blind-css-exfiltration) for how the attribute selector can expose information to third parties. _(This exposure is not new to Selectors Level 4, it existed in Selectors 3)._
- **How do the features in your specification deal with sensitive information?**
    - Not applicable
- **Does data exposed by your specification carry related but distinct information that may not be obvious to users?** 
    - Not that we are aware of
-  **Do the features in your specification introduce state that persists across browsing sessions?** 
    - No
- **Do the features in your specification expose information about the underlying platform to origins?**
    - No
-  **Does this specification allow an origin to send data to the underlying platform?** 
   - That depends on the host language which is using Selectors. For CSS, the answer is **No**.
- **Do features in this specification enable access to device sensors?** 
  - No
-  **Do features in this specification enable new script execution/loading mechanisms?** 
   - No
-  **Do features in this specification allow an origin to access other devices?**
   - No
-  **Do features in this specification allow an origin some measure of control over a user agent’s native UI?** 
   - No
- **What temporary identifiers do the features in this specification create or expose to the web?** 
   - None
-  **How does this specification distinguish between behavior in first-party and third-party contexts?** 
   - It does not
- **How do the features in this specification work in the context of a browser’s Private Browsing or Incognito mode?** 
  - No difference
- **Does this specification have both "Security Considerations" and "Privacy Considerations" sections?** 
  - Yes
- **Do features in your specification enable origins to downgrade default security protections?** 
   - No
- **What happens when a document that uses your feature is kept alive in BFCache (instead of getting destroyed) after navigation, and potentially gets reused on future navigations back to the document?**
  - Depends on the host language. For CSS, see CSS View Transitions, [View Transition Lifecycle](https://drafts.csswg.org/css-view-transitions-2/#lifecycle)
- **What happens when a document that uses your feature gets disconnected?** 
    - Depends on the host language.
- **Does your spec define when and how new kinds of errors should be raised?** 
    - Depends on the host language.
- **Does your feature allow sites to learn about the user’s use of assistive technology?** 
    - Depends on the host language.

-- 
GitHub Notification of comment by svgeesus
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/13469#issuecomment-3872823451 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 9 February 2026 16:44:59 UTC